[PLejeck]

I hope that this will at least light a fire under the asses of Rails devs everywhere, and get them to adopt HTTPS. Nothing is safe against Firesheep without HTTPS. All of these issues would be solved with HTTPS.

Also, doesn't cryptographically signing (or fully encrypting, in Rails 4) the cookie just add more time to processing than using a database? I always assumed cryptography is slower than IO

[progn]

> I always assumed cryptography is slower than IO

Cryptography is a CPU-bound operation that often has specialized hardware support. Here's a rule of thumb: in modern computing, IO incurs a greater cost than pretty much anything you can do locally on-CPU. IO is incredibly expensive: cryptography, not so much. If you pipeline your crypto operations and disk fetches, you won't increase response latency at all.

[etfb]

Ruby has a reputation for slowness ([citation needed]?) so is the cryptographic stuff implemented in the language itself or via C-or-equivalent foreign library? I could understand the "too slow, must avoid" kneejerk reaction if it's all in Ruby, even if the reputation is no longer deserved. Human nature.

[FooBarWidget]

Cryptography in Ruby uses OpenSSL wrapper, so it's essentially C.

[RyanZAG]

Running over HTTPS is not enough, stripping SSL when you can MITM or alter traffic is incredible easy and adds no real complexity. You must both force https and have HSTS enabled at a minimum [1]. Some javascript to ensure that the page being displayed is running over https for first-time users is also a good bet (but can be circumvented).

[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[thibaut_barrere]

In the case of Rails, the force_ssl option enables HSTS.

Useful link: http://jamescrisp.org/2013/08/04/moving-to-https-rails-force...

[joesb]

What do you mean? Rails support running over HTTPS. Or are you suggesting that Rails never run over HTTP only?

[PLejeck]

I'm suggesting that site operators need to use HTTPS. It doesn't matter if you use Rails, PHP, Node.js, whatever. USE HTTPS. NEVER USE HTTP.

It's as simple as that. Never assume that anything transmitted over HTTP is safe, because that assumption will come back to bite you.

[thibaut_barrere]

Exactly - use force_ssl true in the case of Rails.

[rmrfrmrf]

do you ever get a headache from sitting in this echo chamber all day?

[thibaut_barrere]

I'm not sure to understand (I see that you're likely using irony, but I'm not a native english speaker).

Are you suggesting not using SSL?

If not, can you clarify your point?

Thanks.

[__chrismc]

I think he means getting devs who deploy Rails apps to start using HTTPS for their app, rather than there being a deficiency in the framework.