Rieles: ¿Está segura la gema del dispositivo?

I have my authentication on my web app running on the idear gem. I was wondering if it was secure. Yes, it stores the passwords as hashes in the database, uses encrypted tokens after logging in etc. But how about in the initial log in phase? Does it send the user's password unencrypted over the air (I dont have SSL)? Could it have the client encrypt it with a certain public key that only the server could decrypt? Or is SSL the only way to encrypt the user's password?

¡Gracias!

preguntado el 03 de mayo de 12 a las 10:05

When using browsers as client, TLS is the only way to protect against MitM/active attackers. There are a few techniques to protect against passive attackers, but I strongly recommend TLS. -

2 Respuestas

It is secure, remember rails uses authenticity_token. I haven't heard of issues yet.

contestado el 03 de mayo de 12 a las 11:05

ah - is this authentication token used to encrypt the user's password, for example, at the client itself? - Karan

Great explanation. Thanks Vezu. From what I understand, the authentication_token is used to protect users from CSRF - the authentication token is stored in the forms field, however, it still doesnt say whether the form sent to the server is plain text or it is encrypted by the token itself. - Karan

Esto también es interesante. github.com/plataformatec/devise/wiki/… - Benjamin

I dont think that is right. "Be warned that HTTP Basic Authentication transmits the username and password in clear text, so you should not use this method for applications where a higher level of security is required." - pivotallabs.com/users/ledwards/blog/articles/… - Karan

"Be warned that HTTP Basic Authentication transmits the username and password in clear text, so you should not use this method for applications where a higher level of security is required."

http://pivotallabs.com/users/ledwards/blog/articles/1534-http-basic-authentication-and-devise

contestado el 27 de mayo de 12 a las 01:05

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.