Scatmania

Scatman Dan's stuff

Posts Tagged security

SuperGenPass In MicroB On The Nokia N900/Maemo

Jan 27

Posted by Scatman Dan in Personal | No Comments

In the unlikely event that I’m not the only person who uses SuperGenPass to manage my passwords and MicroB on Maemo on my Nokia N900, here’s a few tips that I thought I’d share (they’re also valid on the N800 and N810 and “hacker edition” N770s, too, I expect):

  • You don’t have a Bookmarks Toolbar (where would you put it on a 3½ inch screen?), so once you’ve customised your SuperGenPass bookmarklet, you’ll need to click-and-hold on the generated link, and then select “Add bookmark” to save it to your bookmarks).
  • Use it as normal: either fill your master password into the form and click your Bookmarks menu and select the bookmarklet, or select the bookmarklet and give it your master password. Don’t forget when using complex forms or changing passwords that Maemo provides a full clipboard so you can copy/paste passwords around where the need arises (thankfully quite rarely).
  • If you’re irritated by the “You have requested an encrypted page that contains some unencrypted information” warnings that you see when logging into SSL-secured websites (and the fact that unlike desktop Firefox, you can’t turn it off from the settings), here’s how you disable it:
    • Enter the web address – about:config
    • Agree to the warning page, if you’re presented with one
    • Type “security.warn_viewing_mixed” into the search box, or browse the properties list for that option
    • Select it by clicking on it, and tap the Enter key to toggle it from true to false.
  • I don’t yet know the reason for the fleeting “Maximum number of characters reached” message, but it doesn’t seem to impact on functionality of SuperGenPass. Does anybody else know what it’s about or how it can be suppressed?

Tags: , ,

HttpOnly Session Cookies using ActiveRecordStore in Rails 2.2

Dec 29

Posted by Scatman Dan in Uncategorized | 1 Comment

If you’re using CookieStore to manage sessions in your Ruby on Rails application, Rails 2.2 provides the great feature that you’re now able to use HTTPOnly cookies. These are a great benefit because, for compatible web browsers, they dramatically reduce the risk of a Cross Site Scripting (XSS) attack being able to be used to hijack your users’ sessions, which is particularly important on sites displaying user-generated content. You simply have to adjust your environment.rb file with something like:

config.action_controller.session = {
:session_key => ‘_session_id’,
:session_http_only => true,
:secret      => ‘your-secret’
}
config.action_controller.session_store = :cookie_store

Unfortunately, the Rails developers didn’t see fit to extend HTTPOnly cookies to those of us using ActiveRecordStore, where the XSS risk is still just as real. To fill this gap, I’ve produced a very simple and only slightly-hackish plugin which overrides the functionality of Rails’ CGI::Cookie to force all cookies produced by Rails to be HTTPOnly, regardless of the session store being used.

To use it, download this file and exract it into your application’s vendor/plugins directory, and restart your application server. You can test that it’s working using Tamper Data, FireCookie, or whatever your favourite cookie sniffing tool is.

Tags: , , , ,

SSL Client Certificate Authentication In Ruby On Rails

Sep 16

Posted by Scatman Dan in Personal | 2 Comments

I’ve been playing with using client-side SSL certificates (installed into your web browser) as a means to authenticate against a Ruby on Rails-powered application. This subject is geeky and of limited interest even to the people who read this blog (with the possible exception of Ruth, who may find herself doing exactly this as part of her Masters dissertation), so rather than write about it all here, I’ve written a howto/article: SSL Client Certificate Authentication In Ruby On Rails. If you’re at all interested in the topic, you’re welcome to have a read and give me any feedback.

Tags: , , , ,