Having special characters is a good idea but having a comma just to break a CSV is dumb. This would only happen if the hacker used a bad exporter or created their own (very poorly).
AFAIK it's only "ambiguous" in the sense that if you get a csv file you can't determine the exact parsing behavior to use, but if you know what program created the csv (or what encoder options were used), it's not ambiguous to parse.
>but things get really hairy really fast when you start adding types or BLOBs in the CSV.
AFAIK BLOBs are hex encoded, which make them a non issue.
One behaves differently when driving, and be mindful of 360 degrees, checking the mirrors every 5-10 seconds, etc. But if one has a wall of screens, perhaps in the long run they may be able to convert the 2d (wall of monitors) to the 3d (360/surroundings) and sense it accordingly.
Lag/downtime/tunnels/etc. would kill, and should be flawless.
There are only 2 ways for some "bad actor" to do this sort of MITM (man in the middle).
1) Illegally tap into a node on the internet backbone. The only cases I've heard of where this has actually occurred involved either corrupt ISPs or governments in dictatorial or 3rd world countries. If government is involved, all bets are off.
2) Inject software inside your local computer or network. In which case, all bets are off once again. Once inside your network, these "bad actors" would presumably have full access to the SSL/TLS handshake process as well and thus be able to decrypt traffic as they see fit.
Bottom line: The case for HTTPS everywhere is weak and is mostly about perception created by 3rd parties (like Google) with a vested interest.
- route throttling to something high since if they are new users they shouldn't need to hit that form more than once
- don't let the end user know that you were able to send an email. Keep it vague like "if your email exists, you should receive an email soon."
- don't use a personal email server; something like sendgrid can give you a server that is in good/neutral standing
- if you have to handle your own emails, keep up with any bounce backs and always keep an eye your server being on any blacklists to get it cleared out as soon as possible
- honeypots can be useful if the spammer(s) isn't keeping a close eye on their scripts
> don't let the end user know that you were able to send an email.
I need to stress this is a very important point. If you happen to state the email they entered already exists in the system, the attacker now knows that is a valid account then use a known password linked to that email to gain access.
reply