Comments on: Beware of ssl_requirement http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/ Late nights eventually pay off Wed, 08 Feb 2012 19:15:48 +0000 hourly 1 http://wordpress.org/?v= By: The Lazy Man’s Approach to SSL in Ruby on Rails « Ian Lotinsky http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-3540 The Lazy Man’s Approach to SSL in Ruby on Rails « Ian Lotinsky Wed, 29 Sep 2010 13:27:01 +0000 http://blog.aisleten.com/?p=124#comment-3540 [...] been transmitted insecurely over HTTP. By that point, who cares if the data is resent securely? The secret has already been exposed! You never want your application to let a user do [...] [...] been transmitted insecurely over HTTP. By that point, who cares if the data is resent securely? The secret has already been exposed! You never want your application to let a user do [...]

]]> By: ken bills http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-3016 ken bills Fri, 08 Jan 2010 15:16:04 +0000 http://blog.aisleten.com/?p=124#comment-3016 it's also important to consider that pages fetched over an insecure protocol (http) that contain forms that are intended to submit sensitive data over a secure protocol (https) are also vulnerable to Man in the Middle (MiM) attacks. This is due to a lack of authenticity. In addition to encryption, SSL also provides the client with a way to ensure that the sender of the data is who they say they are. That's why they make you buy a certificate from a certificate authority like Geortrust or verisign. Without it, a man in the middle could alter the data sent back from the server on the insecure request. For example they could change the form so that the action attribute points to their server instead of yours. it’s also important to consider that pages fetched over an insecure protocol (http) that contain forms that are intended to submit sensitive data over a secure protocol (https) are also vulnerable to Man in the Middle (MiM) attacks.

This is due to a lack of authenticity. In addition to encryption, SSL also provides the client with a way to ensure that the sender of the data is who they say they are. That’s why they make you buy a certificate from a certificate authority like Geortrust or verisign. Without it, a man in the middle could alter the data sent back from the server on the insecure request. For example they could change the form so that the action attribute points to their server instead of yours.

]]> By: Nick http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-2970 Nick Mon, 21 Sep 2009 03:19:15 +0000 http://blog.aisleten.com/?p=124#comment-2970 Whatever happened to DRY? That you have to jump through so many hoops to get this to work is frankly shockingly poor. The idea of http://github.com/iwarshak/secure_actions seems to be on the right track, but that plugin has a big "DO NOT USE THIS PLUGIN" at the top. I've just installed Redmine, and couldn't believe that having made it so easy to connect to an LDAP server to authenticate, it is so hard to get it to secure the login form. Crazy. Only solution for now is to require SSL for the whole shooting match. Whatever happened to DRY?

That you have to jump through so many hoops to get this to work is frankly shockingly poor. The idea of http://github.com/iwarshak/secure_actions seems to be on the right track, but that plugin has a big “DO NOT USE THIS PLUGIN” at the top.

I’ve just installed Redmine, and couldn’t believe that having made it so easy to connect to an LDAP server to authenticate, it is so hard to get it to secure the login form.

Crazy. Only solution for now is to require SSL for the whole shooting match.

]]> By: Consensus on SSL – what’s everyone using? – Afraha ! The Next Big Thing! http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-2916 Consensus on SSL – what’s everyone using? – Afraha ! The Next Big Thing! Sat, 25 Jul 2009 15:50:36 +0000 http://blog.aisleten.com/?p=124#comment-2916 [...] http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/ I’m not certain of the validity of this or whether its been addressed. [...] [...] http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/ I’m not certain of the validity of this or whether its been addressed. [...]

]]> By: Micah http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-2450 Micah Tue, 04 Nov 2008 18:35:27 +0000 http://blog.aisleten.com/?p=124#comment-2450 Thanks for the tip, Josh! Thanks for the tip, Josh!

]]> By: Josh Nichols http://blog.aisleten.com/2008/06/02/beware-of-ssl_requirement/#comment-2449 Josh Nichols Tue, 04 Nov 2008 18:32:54 +0000 http://blog.aisleten.com/?p=124#comment-2449 I just started out SSL on Rails. I found this fork of ssl_requirement on github: http://github.com/bcurren/ssl_requirement/tree/master I think it might address most of your concerns. Specifically, you can declare what ISN'T ssl-enabled, and you can also easily make sure your forms are ssl protected. I just started out SSL on Rails. I found this fork of ssl_requirement on github: http://github.com/bcurren/ssl_requirement/tree/master

I think it might address most of your concerns. Specifically, you can declare what ISN’T ssl-enabled, and you can also easily make sure your forms are ssl protected.

]]>