Gem security updates, AWS auditing & password hash hacking: Rails 🔐 digest #25

Hacker, Hack Thyself

A good read about the worst-case scenario, stolen password hashes. A rate of 600 passwords in 3 weeks seems to be possible even with slow algorithms.

Free tools for auditing the security of an AWS account


Comparing several authentication approaches and their security


Safari will soon come with an Intelligent Tracking Prevention to prevent privacy violations by advertisers and their tracking cookies.


Understanding the prevalence of web traffic interception

4-10% of encrypted web traffic is intercepted. Not all these interceptions are malicious. Antivirus solutions, firewalls perform interception mostly by installing their own certificate on the user’s machine. But the interception affects security due to basic cryptographic mistakes. Between 16-37% of the outgoing connections are easily vulnerable to man-in-the-middle attacks.

Want to add tests for your cookie and session flags?




 Security updates
All RabbitMQ versions before 3.6.9 have several XSS vulnerabilities and a medium one

The mail gem was vulnerable to header injection in versions < 2.5.5. All 2.6 versions were not vulnerable due to a bug. Install 2.6.6 to get the fix for the vulnerability.


New Apache HTTP Server Release Fixes Authentication Bypass, Denial-of-Service Flaws

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit