Multipass was built with teams and sharing in mind. Multipass is not meant to be a personal password manager. Instead, we wanted to create an application in which teams and sharing are the primary focus.
We also didn’t want the responsibility of storing users data. Even though passwords and secrets are encrypted, the data must exist somewhere. The user is endowing a lot of trust where ever that data resides.
To achieve these two implementation goals, we decided to limit Multipass to G-Suite…
With Rails 5.2, we can now use the new expiry metadata feature to secure
Others have already touched on the existing limits with setting expiration dates for signed or encrypted for cookies and how Rails 5.2 enhances these APIs. Prior to 5.2, expiration time were just set with the client and the underlying the security layers,
MessageVerifier, did nothing to enforce the expiration. In some cases, it is important to enforce an expiration time for the cookie otherwise the cookie value will be considered “valid forever”.
In this post, we will refactor an existing controller and…
The upcoming release of Rails version 5.2, two new metadata fields for expiry and purpose information have been added to both the
MessageVerifier classes. These metadata features were developed and implemented as part of the Rails Google Summer of Code 2017 project. Both classes implement the same metadata API for encrypted and signed messages.
First lets explore the
:purpose metadata option. This option lets us specify a string or symbol that will be included within the message when encrypting or generating a signed message. …
With the release of Rails version 5.2, sessions and encrypted cookies are now protected with Authenticated Encryption via AES with GCM mode.
In general, Authenticated Encryption (AE) aims to provide both encryption and authentication into a single programming interface. Output from an AE cipher will contain both the resulting cipher text as well as authentication tag usually in the form of a Message Authentication Code (MAC). Authentication is needed when encrypting messages in order to avoid various attacks on the underlying encryption cipher.
Authenticated Encryption through the GCM cipher was first introduced in Rails 5.1 in PR 25874. This PR…
Have you ever wondered what the
secret_key_base value is and how it’s used in a Rails application? This configuration value was introduced in Rails 4 and is usually defined on a per-environment basis. It’s purpose is simple: to be the secret input for the application’s
This method is accessible through
Rails.application.key_generator. The method accepts no arguments and returns an
ActiveSupport::CachingKeyGenerator instance. Keys are then derived using the
generate_key method provided by the
CachingKeyGenerator class. …