Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news:
Ruby method and class injection
Injecting Ruby method and class names. This is a pretty frequent „guest“ in my security code audits, so I wrote about it.
Is HTTP Public Key Pinning dead?
Opinion by Ivan Ristić about HTTP Public Key Pinning (HPKP) being too complicated and dangerous to implement.
Storing Passwords in a Highly Parallelized World
As password cracking methods get faster & faster, it might be time to move from bcrypt to Argon2. Ruby gem.
Authorization with Pundit
Reshaping web defenses with strict Content Security Policy
Interesting new tools and research about Content-Security-Policy
Is your database affected by CVE-2016-6662?
Are you affected by the latest MySQL critical vulnerability?
Two Factor Authentication
Screencast on how to add 2FA to your application
Moving towards a more secure web
Also Chrome will mark login screens as insecure if served over plain HTTP.
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.