Comments on: How To Use SSL To Secure Your Rails App Against FireSheep And Other Evils

By: How can we tell whether a webpage is secure? | WOPLL

How can we tell whether a webpage is secure? | WOPLL — Tue, 23 Nov 2010 18:09:59 +0000

[…] How To Use SSL To Secure Your Rails App Against FireSheep And Other Evils (kalzumeus.com) […]

By: [delicious | grep links | blogger] for 2010-10-30 at The Standard Output

Sun, 14 Nov 2010 05:24:52 +0000

[…] el-get Pymacs Recipes Mechanical Keyboard Guide – Overclock.net – Overclocking.net How To Use SSL To Secure Your Rails App Against FireSheep And Other Evils: MicroISV on a Shoestring the creative internet (106 things) Reading X509 Certificates from remote machines INI Files Meet […]

By: Delicious Bookmarks for November 12th from 03:01 to 03:06 « Lâmôlabs

Delicious Bookmarks for November 12th from 03:01 to 03:06 « Lâmôlabs — Fri, 12 Nov 2010 10:02:57 +0000

[…] How To Use SSL To Secure Your Rails App Against FireSheep And Other Evils: MicroISV on a Shoestring – November 12th ( tags: ssl rails security nginx ruby firesheep programming webdev howto secure ror app webapp guide tips tricks tutorial ) […]

By: Patrick

Patrick — Mon, 08 Nov 2010 09:40:00 +0000

All of that stuff is inside a Rails action, Chris. Most of the headers go directly to the client. The X-Accel-Redirect one tells the Nginx that is in front of your mongrel “grab this file off the disk and give it to them, without tying up my mongrel during the potentially long download process”

By: Chris

Chris — Sun, 07 Nov 2010 21:00:21 +0000

In the code snippet where you list all the headers you had to set specifically for IE, you don’t say in what file you put those. It looks like it’s in a Rails action, since you’re saying render :nothing => true, or possibly a before_filter, but then you mention using X-Accel-Redirect in Nginx to serve the files directly. Can you please clarify? I’d like to implement this.

Thanks!

By: Chaitanya Gupta

Chaitanya Gupta — Tue, 02 Nov 2010 15:22:55 +0000

That’s great to hear! I thought that the switch to HTTPS might have been slightly bandwidth intensive as proxy caching, etc. cannot be used anymore. So I was thinking that using a signed request instead of HTTPS everywhere might also work e.g. this is how Amazon AWS does it http://aws.amazon.com/articles/1928#HTTP (assuming that the secret key was transferred to the client over SSL and stored locally)

But if the impact of using HTTPS is negligible, best to stick to that I guess.

By: Patrick

Patrick — Tue, 02 Nov 2010 09:25:22 +0000

The impact is below negligible, Chaitanya.

By: Chaitanya Gupta

Chaitanya Gupta — Mon, 01 Nov 2010 18:24:06 +0000

How has the switch to SSL affected your bandwidth and resource consumption?

By: Sysadmin Sunday #3 « Boxed Ice Blog

Sysadmin Sunday #3 « Boxed Ice Blog — Sun, 31 Oct 2010 16:03:44 +0000

[…] How To Use SSL To Secure Your Rails App Against FireSheep And Other Evils – protecting your site from Firesheep […]

By: Lawrence Sinclair

Lawrence Sinclair — Sat, 30 Oct 2010 22:51:47 +0000

I will admit I didn’t read all the details above, but I did notice that you suggest having a site have some parts SSL and some parts non-SSL. Doesn’t that expose the cookies to session hijacking in the non-SSL part of the session? This is supposedly a vulnerability of some sites that are susceptible to firesheep, even though SSL appears to be enforced throughout the session.