When you can’t use cookies
So, I’ve looked at the utility and security of cookies and I’ve at looked the utility and security of sessions. It you’ve been following along, then you know...
security
Rails in Session
Last time I took a reasonably deep dive in cookies. Cookies can keep state information and setting for visitors to a site. However, by default they aren’t se...
C is for (HTTP) Cookies
I’ve been working on a post about using JWTs JSON Web Token (JWT) when you can’t use HTTP cookies for sessions. As I dug into it, I came to realize that unde...
JWT Basics
JSON Web Token (JWT) have come in to my life. I like them and you will too… Pronounced “jot”, the short version is that they are cryptographically signed blo...
NGINX SNI
Well, I might as well round out my Server Name Indication (SNI) sort of series by taking a look an nginx. Does your nginx support SNI? You can check by runni...
HAProxy SNI
Last time, I looked at configuring Server Name Indication (SNI) with Apache. It just so happened I needed to set up SNI with the HAProxy Load Balancer last w...
Apache SNI
I covered Server Name Indication (SNI) a while back, but it still surprises me how little people know about it. So, it’s time to look at configuring Apache t...
Configuring Apache for SSL Client Certificate Authentication
Once you have a CA configured, you need to setup the Apache Web server to use it. The process of requesting the certificate from the browser and verifying th...
Client Certificate CA Setup and Signing
Previously, I wrote about the promise of using Client SSL Certificates for authentication. With this post, we start down the road of actually putting this in...
SSL Client Certificates Work!
Holy crap! You can use SSL client certificates to easily authenticate user logins!
diceware.rb Revisited
A while back I wrote about Diceware, a system for generating password using dice and a word list. I also include a Ruby script that use virtual dice.
gpg: public key of ultimately trusted key 00000000 not found
When I run into a problem I can’t and the Google doesn’t have it, I document it for the next person.
(Symmetric) Encryption with Ruby (and Rails)
I wrote and maintain (though not as attentively as I’d like) a Ruby Gem, Strongbox, which adds Public-key Encryption support to Rails’ ActiveRecord. Simply p...
Diceware for Passwords
Making up passwords is hard. You want something you can remember which is and you need something difficult to guess or brute force.
SCP Between Servers
TL;DR - This won’t work:
Ban Bad Bots by IP
In the Internet age we live in, it’s not uncommon for web servers to be hit with Unintentional, not so Distributed, Denial of Service (DoS) Attacks. The atta...
Dynamic Keys for Strongbox
Previously, Strongbox, my gem for using Public Key Encryption with ActiveRecord, allowed only one key pair for encrypting all of the records for a given Acti...
Generating RSA Key Pairs in Ruby
I’ve given a number of examples of using Public-key cryptography in blog posts and in the Strongbox documentation, but I’ve always generated the RSA key pair...
Introducing Strongbox
Over a year ago I wrote the wildly popular Encrypting Lots of Sensitive Data with Ruby (on Rails). At the end I said: Clearly, this screams for a plugin; w...
Encrypting Lots of Sensitive Data with Ruby (on Rails)
Previously I wrote about how to use public key encryption to automatically encrypt data using Ruby (and thus Rails). Because this method can encrypt data wi...
Encrypting Sensitive Data with Ruby (on Rails)
In Encrypting Sensitive Data with Perl I wrote about how to use public key encryption to automatically and securely encrypt information with Perl. This allo...
Encrypting Sensitive Data with Perl
It’s not uncommon to have information submitted through a web form that you need to save, but don’t want to have lying around in plain text. Credit card numb...