Hi, I swear I''ve searched the Wiki, FAQs, mailing lists, etc., but I can''t seem to find an answer to this. I''m proposing using RoR for an admin app that by all accounts would be a perfect candidate for this technology... but our operations staff is nervous about the fact that the database password is stored in clear text. They point out that in Weblogic (which is what they want us to use), the password is encrypted. Is there any way to make RoR use an encrypted password? This seems like a pretty important consideration if RoR is going to be used in secure production environments. Thanks -- Posted via http://www.ruby-forum.com/.
On 2/12/2005, at 11:23 AM, Marshall Levin wrote:> I''m proposing using RoR for an admin app that by all accounts would > be a > perfect candidate for this technology... but our operations staff is > nervous about the fact that the database password is stored in clear > text. They point out that in Weblogic (which is what they want us to > use), the password is encrypted.Think for a second. If the password is encrypted it must get decrypted at some point. If it can be decrypted and someone breaks in to your system do you really think you stand a gnat''s chance in hell of keeping the password out of the hands of the attacker? You''re better off making sure database.yml is readable only to the Rails user, and make that user different from the web server''s user. FastCGI is great at that. In short, yes it can be done. It can be done easily. But it offers no extra security. Once a machine is compromised you must assume that all data on it has been taken, things like this only help clueless administrators keep their head in the clouds. -- Phillip Hutchings WebGenius Programmer phillip-O2c5G25DRx+BSvQ9g6pY6g@public.gmane.org
> I swear I''ve searched the Wiki, FAQs, mailing lists, etc., but I can''t > seem to find an answer to this. > > I''m proposing using RoR for an admin app that by all accounts would be a > perfect candidate for this technology... but our operations staff is > nervous about the fact that the database password is stored in clear > text. They point out that in Weblogic (which is what they want us to > use), the password is encrypted. > > Is there any way to make RoR use an encrypted password? This seems like > a pretty important consideration if RoR is going to be used in secure > production environments. > > ThanksHow would you encrypt it without having the secret password on the system with it? What good would that do besides providing a layer of obscurity? I actually did this kind of thing in ASP.Net w/ the Data Protection API. It''s basically a pki system built in to windows (for EFS) where the server and each user has their own private key. Though, I''m not sure what it did for my app besides making it a PITA to change the password :) -- rick http://techno-weenie.net
On 12/1/05, Marshall Levin <mlevin-PLh77uj+hyNWk0Htik3J/w@public.gmane.org> wrote:> Hi, > > I swear I''ve searched the Wiki, FAQs, mailing lists, etc., but I can''t > seem to find an answer to this. > > I''m proposing using RoR for an admin app that by all accounts would be a > perfect candidate for this technology... but our operations staff is > nervous about the fact that the database password is stored in clear > text. They point out that in Weblogic (which is what they want us to > use), the password is encrypted. > > Is there any way to make RoR use an encrypted password? This seems like > a pretty important consideration if RoR is going to be used in secure > production environments. >I''m sure you are going to get a lot of answers on this... I really don''t know how weblogic encrypts the password. Is it really encrypting it a way that is offering real protection, or is it just illusory? Where is the encryption key stored? With the way that rails works, encrypting the database password gets you very little. In fact encrypting the database password gets you very little no matter what platform you are using. If your system really needs to be secure then you need to approach the problem from an in depth approach. Otherwise don''t put sensitive information online to begin with. I know that''s not what most operations types might like to hear, but it''s what they should be told. Chris
snacktime wrote:> I really don''t know how weblogic encrypts the password. Is it really > encrypting it a way that is offering real protection, or is it just > illusory? Where is the encryption key stored?Weblogic encrypts the string using 3DES and its encryption key is hidden somewhere inside the beast. I''m not entirely sure where. I just know that it has its own encryption tool (see http://e-docs.bea.com/wls/docs90/admin_ref/utils.html#1209592) that uses a mysterious "encryption service." I realize that this is *somewhat* illusory -- it''s better than having it in plain text, but yes, if the app server is compromised, the database isn''t far behind. Incidentally, my company specializes in putting sensitive information online. -- Posted via http://www.ruby-forum.com/.
> Weblogic encrypts the string using 3DES and its encryption key is hidden > somewhere inside the beast. I''m not entirely sure where. I just know > that it has its own encryption tool (see > http://e-docs.bea.com/wls/docs90/admin_ref/utils.html#1209592) that uses > a mysterious "encryption service." > > I realize that this is *somewhat* illusory -- it''s better than having it > in plain text, but yes, if the app server is compromised, the database > isn''t far behind. > > Incidentally, my company specializes in putting sensitive information > online.I think I smell a plugin... -- rick http://techno-weenie.net
On 12/1/05, Marshall Levin <mlevin-PLh77uj+hyNWk0Htik3J/w@public.gmane.org> wrote:> snacktime wrote: > > I really don''t know how weblogic encrypts the password. Is it really > > encrypting it a way that is offering real protection, or is it just > > illusory? Where is the encryption key stored? > > Weblogic encrypts the string using 3DES and its encryption key is hidden > somewhere inside the beast. I''m not entirely sure where. I just know > that it has its own encryption tool (see > http://e-docs.bea.com/wls/docs90/admin_ref/utils.html#1209592) that uses > a mysterious "encryption service." > > I realize that this is *somewhat* illusory -- it''s better than having it > in plain text, but yes, if the app server is compromised, the database > isn''t far behind. >> Incidentally, my company specializes in putting sensitive information > online.A halfway decent checklist for securing web applications is the CISP auditing checklist from the Visa site. It''s pretty basic and I''d argue with a few of it''s methods, but it covers enough ground to be useful. Chris
I may not understand your question but is the password not stored in MySQL and not rails? If so, I know that MySQL can encrypt passwords and I think that is the default arrangement on 5.0 Rails can work with that. bruce On 1-Dec-05, at 3:23 PM, Marshall Levin wrote:> Hi, > > I swear I''ve searched the Wiki, FAQs, mailing lists, etc., but I can''t > seem to find an answer to this. > > I''m proposing using RoR for an admin app that by all accounts would > be a > perfect candidate for this technology... but our operations staff is > nervous about the fact that the database password is stored in clear > text. They point out that in Weblogic (which is what they want us to > use), the password is encrypted. > > Is there any way to make RoR use an encrypted password? This seems > like > a pretty important consideration if RoR is going to be used in secure > production environments. > > Thanks > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Well, that was a much better answer than mine. I regret having answered now (and I think I did miss your point). Perhaps Phillip Hutchins is a "webgenius programmer" bruce balmer not webgenius programmer On 1-Dec-05, at 3:31 PM, Phillip Hutchings wrote:> > On 2/12/2005, at 11:23 AM, Marshall Levin wrote: > >> I''m proposing using RoR for an admin app that by all accounts >> would be a >> perfect candidate for this technology... but our operations staff is >> nervous about the fact that the database password is stored in clear >> text. They point out that in Weblogic (which is what they want us to >> use), the password is encrypted. > > Think for a second. If the password is encrypted it must get > decrypted at some point. If it can be decrypted and someone breaks > in to your system do you really think you stand a gnat''s chance in > hell of keeping the password out of the hands of the attacker? > You''re better off making sure database.yml is readable only to the > Rails user, and make that user different from the web server''s > user. FastCGI is great at that. > > In short, yes it can be done. It can be done easily. But it offers > no extra security. Once a machine is compromised you must assume > that all data on it has been taken, things like this only help > clueless administrators keep their head in the clouds. > > -- > Phillip Hutchings > WebGenius Programmer > phillip-O2c5G25DRx+BSvQ9g6pY6g@public.gmane.org > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails
On 2/12/2005, at 1:56 PM, Bruce Balmer wrote:> Well, that was a much better answer than mine. I regret having > answered now (and I think I did miss your point). Perhaps Phillip > Hutchins is a "webgenius programmer"Hah, doubt it. That''s just the company I work for, my mail client defaults to that signature. I still stand by my assertion that an encrypted password offers no benefits over clear text when you''re facing a determined attacker, and for a ''casual'' break in file permissions will be better. Just make sure the user that the application runs as doesn''t have any login capabilities. -- Phillip Hutchings phillip.hutchings-QrR4M9swfipWk0Htik3J/w@public.gmane.org
One aspect of RoR database login and password management is that, I am willing to bet in most sites, the developers know the database login and password that RoR uses. This is a violation of Sarbanes Oxley rules that many of will have to address sooner rather than later (and, in theory, you can go to prison for not being duely diligent about it). Marshall Levin wrote:>Hi, >Mime-Version: 1.0 >Content-Type: text/plain; charset=utf-8 > >I swear I''ve searched the Wiki, FAQs, mailing lists, etc., but I can''t >seem to find an answer to this. > >I''m proposing using RoR for an admin app that by all accounts would be a >perfect candidate for this technology... but our operations staff is >nervous about the fact that the database password is stored in clear >text. They point out that in Weblogic (which is what they want us to >use), the password is encrypted. > >Is there any way to make RoR use an encrypted password? This seems like >a pretty important consideration if RoR is going to be used in secure >production environments. > >Thanks > > >