I'm building a rails app that communicates with other servers via ftp. The user needs to input their host, username and password for their particular ftp server. I wouldn't want to store their password as cleartext, but I need the actual password to connect to the server when it comes time. Would it make sense to use a two-way hash?
I found a few implementations that might do the job:
http://crypt.rubyforge.org/blowfish.html
http://crypt.rubyforge.org/rijndael.html
http://ezcrypto.rubyforge.org/
Thanks,
Trevor
Since password is eventually passed to the FTP server as cleartext, any db encryption is a bonus.
I ended up using attr_encrypted which worked great.
Related
I found ways to configure symmetric encryption for the database user but no way to configure keys or something similar to encrypt the data sent to the database.
Is there any database supported by Ruby in Rails that allows specifying such encryption ? MariaDB / MySql is preferred.
With the help of tadman I found an adaptor which is able to set several SSL related parameters like sslkey but I still don't know how this works with database.yml: http://api.rubyonrails.org/v4.2.6/classes/ActiveRecord/ConnectionAdapters/MysqlAdapter.html
I have wrote a simple Django web service that provides an iOS app with JSON information containing download links.
I don't mind the JSON information to be clear text, but when the user logs in, I would like him to login with his username and password, then he would probably get some kind of key for future requests which I understand that can be sniffed out. For that first interaction, how could I protect the password and username from being clear text and sniffed?
I have decided I wanted to use a symmetric encryption to encrypt my password and have that key both on client and on server. (yes, I am aware that if someone goes to the trouble of binary hacking my app and sniffing packets from a customer he would be able to get the password in clear text, it's just not a likely concern).
I would like to use some kind of encryption that I can easily do in iOS and than decrypt in my django server. anyone has a suggestion on how to do that?
If you want to encrypt the communication between your django server and the client then you can use secure HTTP rather than plain old HTTP. This is done outside django, and is configured at the web server level. For example, if your django app is ran by a WSGI server like gunicorn or uWSGI which in return is handled by nginx (this is a common setup) then you would configure your nginx server to accept only secure HTTP requests and forward any standard http request to https. This way you can ensure that everything the client sends to the server is encrypted on the browser prior to sending. Similar setup is done with Apache, though I personally have never used Apache with django.
Since the OP feels that HTTPS is not a viable option a modification of CHAP Challenge-Handshake Authentication Protocol for the initial key creation might be an option.
I have a program in which checks a php file on a web server to see if the user is verified. The php files runs through the DB and checks and echos "verified" if they are.
Now, people are now easily bypassing the verification system by installing Xampp, routing my server to 127.0.0.1 in their hosts file, and then setting a script that echos verified.
I want to be able to check the IP address of my domain to check if it is routing to 127.0.0.1.
How would I go about resolving the IP address of a domain through delphi?
I used to use a similar hack to get around ICQ server-side verifications. Very convenient when I wanted to test alpha/beta builds that I was not invited to :-)
Indy, which ships with Delphi, has a TIdStack.ResolveHost() function, and a separate TIdDNSResolver component, which can both be used to get the domain's IP(s). It also has a TIdStack.LocalAddresses property to retreive the local IPv4 addresses. Or you can just use the socket API gethostbyname() or getaddrinfo() functions directly, along with platform-specific APIs to enumerate the local IPs, like the GetAdaptersAddresses() function on Windows.
However, rather than having the PHP script simply echo plain-text back to your app, a much more secure option that does not require you to verify IPs is to have your app create a dynamically generated nonce value and send it to the PHP script, then have the script process it, hash it, whatever as needed using an algorithm that only you know, and then send it back to the app. The app can perform the same algorithm and compare the results. Unless someone takes the time to reverse engineer your app, they will not be able to reproduce your algorithm or fake its results with their custom Xampp scripts.
Even better, use SSL/TLS to encrypt your connection to your domain server, and give your domain server an SSL certificate that your app can verify before it exchanges any data with your PHP script. If you do just this much, you can continue using the plain-text echo since SSL/TLS will verify you are connected to your domain for you.
I'm fairly new to Ruby on Rails and actually entirely new to website mailing. In a lot of example tutorials I see a "from" object assigned to, for example, "new#example.com". When I setup the emailing functionality on a localhost the RoR command prompt says that everything finished fine even when I keep "new#example.com" as the from object. Can I actually mail from a localhost port? What would I have to put as my "from" address in order to actually send mail from the my local web application? Just a regular email I have? How would it be authenticated to ensure that the "from" address is actually the real address?
It seems a really fundamental concept and I understand all the model/view/controller actions that have to be done to make it work but I'm confused I guess as to how it actually works
In general the from field can be anything.
Some mail servers may take action if they think that you are claiming to be someone you are not, such as blocking mail or marking it as spam (via mechanisms such as DKIM or SPF). These are done at the domain level, ie the mail server tries to work out whether the server talking to it is allowed to send email claiming to be from #example.com.
Other mail servers mail just silently rewrite your from field if they know who you are, for example if you are talking to the gmail smtp servers and have authenticated as bob then the from field will be set to bob#gmail.com, unless it is already set to an email address gmail knows you own.
By default, in development rails doesn't try and send email at all. For it to send email you need to configure the deluvery_method, usually this involves either setting it to :sendmail (if you have an appropriately configured instance of sendmail running locally) or setting to :smtp and also providing details of an smtp server to use.
I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.
Hashing apparently doesn't do it
Obfuscating in a reversable way is like trying to hide behind my finger
Plain text sounds and propably is promiscuous
Requiring the user to type in his password every time would make the application tiresome
Any ideas ?
You could make some OS calls to encrypt the password for you.
On Windows:
You can encrypt a file (on a NTFS filesystem)
Use the DPAPI from C
Use the DPAPI in .Net by using the ProtectedData class
CryptProtectData is a windows function for storing this kind of sensitive data.
http://msdn.microsoft.com/en-us/library/aa380261.aspx
For an example see how Chrome uses it:
http://blog.paranoidferret.com/index.php/2008/09/10/how-google-chrome-stores-passwords/
For Windows: encrypt the password using DPAPI (user store) and store it in your settings file or somewhere else. This will work on a per-user basis, e.g. different users on the same machine will have different unrelated encryption keys.
What platform?
On *nix, store the password in plain text in a file chmoded 400 in a subdirectory of the home directory. See for example ~/.subversion. Administrators can do anything they like to users anyway, including replacing your program with their own hacked version that captures passwords, so there's no harm in the fact that they can see the file. Beware that the password is also accessible to someone who takes out that hard drive - if this is a problem then either get the user to reenter the password each time or check whether this version of *nix has file encryption.
On Windows Pro, store the password in an encrypted file.
On Windows Amateur, do the same as *nix. [Edit: CryptProtectData looks good, as Aleris suggests. If it's available on all Windowses, then it solves the problem of only the more expensive versions supporting encrypted files].
On Symbian, store the password in your data cage. Programs with AllFiles permission are rare and supposedly trusted anyway, a bit like *nix admins.
You can't have your cake and eat it too. Either store the password (which you've ruled out), or don't and require it to be typed in every time (which you've ruled out.)
Have a good symmetric encryption scheme, it should make it difficult enough to decrypt the credentials that it won't worth trying.
Otherwise, if the service only requires the hash to be sent over the network, you can store the hast encrypted. This way even the decryption won't get the attacker closer to the solution.
However other users are true. If you store the data it can be found.
The key is finding the balance between security and usability.