Rails - Sep 2006 - Encrypt URL Params, such as the id

Is there any easy way to encrypt the URL params that is seen in the URL. 
I dont feel comfortable exposing the id of the models to the external 
user.

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

---------- Forwarded message ----------
From: Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
Date: Sep 25, 2006 11:48 PM
Subject: [Rails] Encrypt URL Params, such as the id
To: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org



Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external
user.

--
Posted via http://www.ruby-forum.com/.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.


On 9/26/06, Vinod Krishnan
<vinod.krishnan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>
> ---------- Forwarded message ----------
> From: Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
> Date: Sep 25, 2006 11:48 PM
> Subject: [Rails] Encrypt URL Params, such as the id
> To: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
>
>
> Is there any easy way to encrypt the URL params that is seen in the URL.
> I dont feel comfortable exposing the id of the models to the external
> user.
>
> --
> Posted via http://www.ruby-forum.com/.
>
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Bogdan Ionescu wrote:
> Use :method=>POST instead of GET.
> It does not encrypt them, but at least they are not seen in the url.
Unfortunately, that''s still not much of an improvement from a security 
standpoint. Anyone who knows what they''re doing can do a "view
source"
and hack around with the ids.

I would suggest putting the id in a session :

session[:the_id] = @the_id

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

I would say that this kind of security by obfuscation is normally
unnecessary. If you encrypt the url values, what''s to stop me from
noting the encrypted values and spoofing a form to send the encrypted
values.

Surely the security should be in the application in that only methods
that should be exposed are exposed to general users.


Ross

On 9/26/06, Jon Collier
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Bogdan Ionescu wrote:
> > Use :method=>POST instead of GET.
> > It does not encrypt them, but at least they are not seen in the url.
>
> Unfortunately, that''s still not much of an improvement from a
security
> standpoint. Anyone who knows what they''re doing can do a
"view source"
> and hack around with the ids.
>
> I would suggest putting the id in a session :
>
> session[:the_id] = @the_id
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>

-- 
Ross Riley
riley.ross-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

On 26 Sep 2006, at 15:13, Jon Collier wrote:
>
> Bogdan Ionescu wrote:
>> Use :method=>POST instead of GET.
>> It does not encrypt them, but at least they are not seen in the url.
>
> Unfortunately, that''s still not much of an improvement from a
security
> standpoint. Anyone who knows what they''re doing can do a
"view source"
> and hack around with the ids.
>
> I would suggest putting the id in a session :
>
> session[:the_id] = @the_id
This won''t be much use if you want to avoid ids being used in links.  
You could go about it in a number of ways: in your models, hash a  
certain field before_save and save it in a seperate field, you can  
then use this field to search the record.

E.g. id, name, value, hashed_id (hash of id with a certain salt)

In routes, map /:controller/:action/:hashed_id.

But in general, this doesn''t provide anymore security than exposing  
the id does.

You could also use a reversible encryption algorithm such as DES  
combined with Base64 and encrypt the ID with it.

All of this is adding an overhead to your application which could  
prove as useful as filling the ocean with buckets of water.


Best regards

Peter De Berdt



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

On 9/26/06, Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Is there any easy way to encrypt the URL params that is seen in the URL.
> I dont feel comfortable exposing the id of the models to the external
> user.
What are you really trying to accomplish here?  Why is it bad if your
users know the IDs of your model objects?

-- James

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

What I am trying to achieve is so that malicious users do not call
controller actions in a loop with all the IDs, thereby killing the
server.

-Vinod

On 9/26/06, JDL <jamesludlow-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> On 9/26/06, Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
> >
> > Is there any easy way to encrypt the URL params that is seen in the
URL.
> > I dont feel comfortable exposing the id of the models to the external
> > user.
>
> What are you really trying to accomplish here?  Why is it bad if your
> users know the IDs of your model objects?
>
> -- James
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Vinod Krishnan wrote:
> What I am trying to achieve is so that malicious users do not call
> controller actions in a loop with all the IDs, thereby killing the
> server.
>
> -Vinod
>
> On 9/26/06, JDL <jamesludlow-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> >
> > On 9/26/06, Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
> > >
> > > Is there any easy way to encrypt the URL params that is seen in
the URL.
> > > I dont feel comfortable exposing the id of the models to the
external
> > > user.
> >
> > What are you really trying to accomplish here?  Why is it bad if your
> > users know the IDs of your model objects?
> >
> > -- James
> >
> > >
> >
And what would happen if they just repeatedly threw randomly generated
parameters at it?

_Kevin


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

In that case, try and solve the problem you actually have, rather than
find ways to hide it.
There are plenty of ways you can prevent malicious users breaking an
application.
1. Log the originating IP of requests and deny access after a certain
number of requests.
2. Create a token which is hashed and must be included in requests,
expire these after a certain amount of time.
3. Use a captcha form or similar principle to prevent automated requests.

Such techniques are much more efficient since they provide security at
the point of the problem. As others have pointed out malicious users
can always find a way around obfuscation and you''ll find yourself
continually fighting fires with your code.

Ross

On 9/27/06, _Kevin <kevin.olbrich-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>
> Vinod Krishnan wrote:
> > What I am trying to achieve is so that malicious users do not call
> > controller actions in a loop with all the IDs, thereby killing the
> > server.
> >
> > -Vinod
> >
> > On 9/26/06, JDL
<jamesludlow-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > >
> > > On 9/26/06, Vinod Krishnan
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
> > > >
> > > > Is there any easy way to encrypt the URL params that is seen
in the URL.
> > > > I dont feel comfortable exposing the id of the models to the
external
> > > > user.
> > >
> > > What are you really trying to accomplish here?  Why is it bad if
your
> > > users know the IDs of your model objects?
> > >
> > > -- James
> > >
> > > >
> > >
>
> And what would happen if they just repeatedly threw randomly generated
> parameters at it?
>
> _Kevin
>
>
> >
>

-- 
Ross Riley
riley.ross-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---