security

When you can’t use cookies

2 minute read

So, I’ve looked at the utility and security of cookies and I’ve at looked the utility and security of sessions. It you’ve been following along, then you know...

Rails in Session

4 minute read

Last time I took a reasonably deep dive in cookies. Cookies can keep state information and setting for visitors to a site. However, by default they aren’t se...

C is for (HTTP) Cookies

4 minute read

I’ve been working on a post about using JWTs JSON Web Token (JWT) when you can’t use HTTP cookies for sessions. As I dug into it, I came to realize that unde...

JWT Basics

2 minute read

JSON Web Token (JWT) have come in to my life. I like them and you will too… Pronounced “jot”, the short version is that they are cryptographically signed blo...

NGINX SNI

less than 1 minute read

Well, I might as well round out my Server Name Indication (SNI) sort of series by taking a look an nginx. Does your nginx support SNI? You can check by runni...

HAProxy SNI

2 minute read

Last time, I looked at configuring Server Name Indication (SNI) with Apache. It just so happened I needed to set up SNI with the HAProxy Load Balancer last w...

Apache SNI

2 minute read

I covered Server Name Indication (SNI) a while back, but it still surprises me how little people know about it. So, it’s time to look at configuring Apache t...

Client Certificate CA Setup and Signing

2 minute read

Previously, I wrote about the promise of using Client SSL Certificates for authentication. With this post, we start down the road of actually putting this in...

diceware.rb Revisited

2 minute read

A while back I wrote about Diceware, a system for generating password using dice and a word list. I also include a Ruby script that use virtual dice.

(Symmetric) Encryption with Ruby (and Rails)

5 minute read

I wrote and maintain (though not as attentively as I’d like) a Ruby Gem, Strongbox, which adds Public-key Encryption support to Rails’ ActiveRecord. Simply p...

Diceware for Passwords

2 minute read

Making up passwords is hard. You want something you can remember which is and you need something difficult to guess or brute force.

Ban Bad Bots by IP

3 minute read

In the Internet age we live in, it’s not uncommon for web servers to be hit with Unintentional, not so Distributed, Denial of Service (DoS) Attacks. The atta...

Dynamic Keys for Strongbox

1 minute read

Previously, Strongbox, my gem for using Public Key Encryption with ActiveRecord, allowed only one key pair for encrypting all of the records for a given Acti...

Generating RSA Key Pairs in Ruby

1 minute read

I’ve given a number of examples of using Public-key cryptography in blog posts and in the Strongbox documentation, but I’ve always generated the RSA key pair...

Introducing Strongbox

6 minute read

Over a year ago I wrote the wildly popular Encrypting Lots of Sensitive Data with Ruby (on Rails). At the end I said: Clearly, this screams for a plugin; w...

Encrypting Sensitive Data with Ruby (on Rails)

2 minute read

In Encrypting Sensitive Data with Perl I wrote about how to use public key encryption to automatically and securely encrypt information with Perl. This allo...

Encrypting Sensitive Data with Perl

4 minute read

It’s not uncommon to have information submitted through a web form that you need to save, but don’t want to have lying around in plain text. Credit card numb...