-1

I got some of my nifty rails apps working, and its all jiffy and peaceful. I want to secure one tiny part that just feels wrong doing the way it is now - my sign-in procedure, where I use the form_tag with the remote option to send the content of a text and password field for obvious reasons using POST.

Sending a password just plain over HTTP makes me feel dirty. From where I can see, I have the following options:

  1. learn to live with it and hope for the best
  2. learn something awesome to have my controller doing magic through a rails-helper-i-dunno-about trick
  3. build a separate app that runs on HTTPS and make life a living hell by going back to square one.
  4. use JavaScript encryption

Somehow I think my best option is 4 - JavaScript encryption. However, if the user types in his/her password and it gets encrypted with a part that is server-generated, it should be secure (in relation of solving the problem of sending it in plain text over HTTP) and solve my problem I guess. But on the rails side, to get that to work is to keep (yes, i have many things to cover, still) plain passwords in my database.

I need some help here - some pointers.

Huangism
  • 16,278
  • 7
  • 48
  • 74
MiningSam
  • 583
  • 2
  • 7
  • 22
  • 5
    No, the solution is to employ your app with HTTPS. I'm not sure why that would throw you back to square one, though. – Bergi Sep 03 '14 at 17:48
  • I don't use Rails myself, but I have a hard time believing that enabling SSL would involve a complete re-write of your application. And you should definitely not be saving plain-text passwords in the database, regardless of what form of encryption you're using on the front end. – StriplingWarrior Sep 03 '14 at 17:49
  • 1
    Have a read of these: http://security.stackexchange.com/q/17129/8749, http://security.stackexchange.com/q/8596/8749, http://security.stackexchange.com/q/47619/8749, http://security.stackexchange.com/q/53488/8749 – Bergi Sep 03 '14 at 17:52
  • possible duplicate of [About password hashing system on client side](http://stackoverflow.com/q/3715920/1048572) – Bergi Sep 03 '14 at 17:53
  • how can I partially make my app using HTTPS? Shouldn't that be an entire separate app? – MiningSam Sep 03 '14 at 17:53
  • don't make your app partial https, that's usually open for attacks just like an intercepted login. – dandavis Sep 03 '14 at 18:07

1 Answers1

1

Why you should not use option 4: The risk of implementing something wrongly and putting your users at risk is much higher than when using something which already exists.

What you should do instead: Secure your users data by transferring it via https. Put

config.force_ssl = true

into config/environment/production.rb and you are ready to go. (Well and tell the webserver where appropriate certificates are…)

Ulrich Thomas Gabor
  • 6,584
  • 4
  • 27
  • 41
  • doesn't that make all traffic encrypted :S including the parts that doesn't need authentication? – MiningSam Sep 03 '14 at 17:55
  • Yes, but … who cares? Most websites are slowly migrating to exactly that behavior anyway (e.g. Facebook). I barely see a reason to restrict HTTPS to specific parts of your site. If you want to secure only a single controller, you may take a look at [this answer](http://stackoverflow.com/a/14700213/3340665). – Ulrich Thomas Gabor Sep 03 '14 at 18:04
  • thanks! That comment has the answer I was looking for! – MiningSam Sep 04 '14 at 17:53