tags:

views:

226

answers:

2
Q: 

For Rails apps, keeping your environment.rb file in your repository seems unsecure...

Many Rails apps use the CookieStore method of storing sessions. The security of this method depends mainly on the security of the session secret key which is defined by default in config/environment.rb:

config.action_controller.session = {
    :session_key => '_some_name_session',
    :secret      => 'long secret key'
}

Most people including myself keep this file in our SCM repo. Does this mean if I do some work at a coffee shop (or any open wireless connection) and commit my source, someone can sniff this secret and possibly start creating valid sessions for my application? Can't people sniff the files I commit? This seems like a pretty decent security hole.

+4  A: 

If you're committing over a protocol other than https or SSH, then yes I believe so. If the person controlling your remote repository server is using port 80 instead of 443, I'd sit down and have a discussion with them.

MattC  2009-07-13 18:34:12
ok...i guess ssh must use a two way encryption function so that the receiver can decrypt the data. so i guess a sniffer would also be able to decrypt data transmitted over ssh?
Tony  2009-07-13 18:58:51
It would be extremely difficult. Depending on the key strength used, it generally wouldn't be worth the person's time to sniff and attempt to decrypt the traffic, especially without having the private key. HTTPS is a little easier to crack, but generally if someone wanted your session key that badly they'd either attempt to get it from your repository checked out on your laptop or hack your server directly.
MattC  2009-07-13 19:02:46
A: 

Not necessarily. If you're talking to Subversion you can choose to use an HTTPS address rather than an HTTP one and all the communications between your local machine and the version control server will be secure.

I'd be very surprised if Git and Mercurial didn't offer the same ability.

John Munsch  2009-07-13 18:34:37
Git and Hg both allow communication over HTTPS, or another secure method like SSH.
mipadi  2009-07-13 18:45:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security