Wireless networks are an immense convenience, but they can be a security nightmare. Whether you’re sitting in a public wi-fi area or comfortably at home in front of your television, your connections to wireless devices are under constant threat. One of these threats involves vulnerabilities encountered when logging into an online service, when you can potentially reveal your account login and password information. Even if these values are encrypted, a smart hacker on the same wireless network might capture your traffic and attempt to replay it back to the server to gain access to your account.
Asynchronous Ajax calls can really mess you up. The problem is that the environment within which you execute an Ajax call isn’t the same environment as when you handle the results. This situation occurs because of the nature of asynchronous environments. The browser makes the Ajax call to the server and then continues with its own business. Sometime later, the server responds with the results of the Ajax call, but by that time, the context of the browser’s running thread has changed.
It’s like arriving at the train station after the train has left town.
Topics like authentication often give me the heebie-jeebies. I worry about nefarious hackers in some corner of Beijing trying to hack into my account by somehow circumventing the authentication mechanism I put in place. To fight the situation, I would write the entire authentication routines myself, but I worry that I haven’t tested it thoroughly; on the other hand, I worry about using a library solution that I don’t fully understand and could therefore leave myself open to an attacker that does fully understand the solution.
A good compromise is to understand a bit about authentication and then use a known solution. When it comes to Sinatra, both are within easy grasp.
Occasionally I run across the need to efficiently encrypt and decrypt small messages that get sent over public media. Sure, I could use SSL, but for simple situations, I don’t need such a big hammer. What I need is a way to take a message like, “I’m leaving the key under the doormat” and tuck it away in a message that otherwise does not need security.
Below is a class called Shencrypt, with two simple methods. To encrypt a message, just put it into the argument for self.encrypt, and it will provide an output hash that contains the encrypted message as well as the IV (Initialization Vector) that helps protect against analysis by the bad guys. Since this uses symmetric encryption, the receiver has to have access to the same key. This can be solved in various ways; perhaps the most obvious would be to use an MD5 hash of the login password as the key.