Rails: Is the devise gem secure?

Question

I have my authentication on my web app running on the devise gem. I was wondering if it was secure. Yes, it stores the passwords as hashes in the database, uses encrypted tokens after logging in etc. But how about in the initial log in phase? Does it send the user's password unencrypted over the air (I dont have SSL)? Could it have the client encrypt it with a certain public key that only the server could decrypt? Or is SSL the only way to encrypt the user's password?

Thanks!

When using browsers as client, TLS is the only way to protect against MitM/active attackers. There are a few techniques to protect against passive attackers, but I strongly recommend TLS. — CodesInChaos, May 03 '12 at 10:57

score 1 · Answer 1 · answered May 03 '12 at 10:34

1

It is secure, remember rails uses authenticity_token. I haven't heard of issues yet.

answered May 03 '12 at 10:34

Benjamin

2,088
2
23
46

ah - is this authentication token used to encrypt the user's password, for example, at the client itself? – Karan May 03 '12 at 10:42
Check this out. http://stackoverflow.com/questions/941594/understand-rails-authenticity-token – Benjamin May 03 '12 at 10:43
2

Great explanation. Thanks Vezu. From what I understand, the authentication_token is used to protect users from CSRF - the authentication token is stored in the forms field, however, it still doesnt say whether the form sent to the server is plain text or it is encrypted by the token itself. – Karan May 03 '12 at 10:49
This is also interesting. https://github.com/plataformatec/devise/wiki/How-To:-Use-HTTP-Basic-Authentication – Benjamin May 03 '12 at 10:52
1

I dont think that is right. "Be warned that HTTP Basic Authentication transmits the username and password in clear text, so you should not use this method for applications where a higher level of security is required." - http://pivotallabs.com/users/ledwards/blog/articles/1534-http-basic-authentication-and-devise – Karan May 09 '12 at 14:50

score 0 · Accepted Answer · answered May 27 '12 at 00:41

"Be warned that HTTP Basic Authentication transmits the username and password in clear text, so you should not use this method for applications where a higher level of security is required."

http://pivotallabs.com/users/ledwards/blog/articles/1534-http-basic-authentication-and-devise

Rails: Is the devise gem secure?

2 Answers2