top | item 6546452

(no title)

PLejeck | 12 years ago

I hope that this will at least light a fire under the asses of Rails devs everywhere, and get them to adopt HTTPS. Nothing is safe against Firesheep without HTTPS. All of these issues would be solved with HTTPS.

Also, doesn't cryptographically signing (or fully encrypting, in Rails 4) the cookie just add more time to processing than using a database? I always assumed cryptography is slower than IO

discuss

progn|12 years ago

> I always assumed cryptography is slower than IO

Cryptography is a CPU-bound operation that often has specialized hardware support. Here's a rule of thumb: in modern computing, IO incurs a greater cost than pretty much anything you can do locally on-CPU. IO is incredibly expensive: cryptography, not so much. If you pipeline your crypto operations and disk fetches, you won't increase response latency at all.

etfb|12 years ago

Ruby has a reputation for slowness ([citation needed]?) so is the cryptographic stuff implemented in the language itself or via C-or-equivalent foreign library? I could understand the "too slow, must avoid" kneejerk reaction if it's all in Ruby, even if the reputation is no longer deserved. Human nature.

RyanZAG|12 years ago

Running over HTTPS is not enough, stripping SSL when you can MITM or alter traffic is incredible easy and adds no real complexity. You must both force https and have HSTS enabled at a minimum [1]. Some javascript to ensure that the page being displayed is running over https for first-time users is also a good bet (but can be circumvented).

[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

thibaut_barrere|12 years ago

In the case of Rails, the force_ssl option enables HSTS.

Useful link: http://jamescrisp.org/2013/08/04/moving-to-https-rails-force...

joesb|12 years ago

What do you mean? Rails support running over HTTPS. Or are you suggesting that Rails never run over HTTP only?

PLejeck|12 years ago

I'm suggesting that site operators need to use HTTPS. It doesn't matter if you use Rails, PHP, Node.js, whatever. USE HTTPS. NEVER USE HTTP.

It's as simple as that. Never assume that anything transmitted over HTTP is safe, because that assumption will come back to bite you.

__chrismc|12 years ago

I think he means getting devs who deploy Rails apps to start using HTTPS for their app, rather than there being a deficiency in the framework.

unknown|12 years ago

[deleted]