Rietta.com Security
You are reading The Rietta Blog, a publication about the web since 2005. If you enjoy this, you may also want to subscribe to our Web Application Topics Newsletter.

How to Protect Against the POODLE SSLv3 Vulnerability


The POODLE SSL vulnerability marks the third major security flaw discovered this year that impacts the security of millions of websites.

The attack works by forcing the connection to downgrade from the newer TLS protocol to the 18 year old SSL 3 protocol, which is obsolete and insecure, and then utilizing a weakness to calculate small strings of data from the encrypted communication, such as session cookies.

Commercial Information Security Classification System


When you read books on security, at some point the importance of classified information systems is covered. These typically look at Mandatory Access Control in the context of military classifications, such as top secret, secret, for official use only, and sensitive but unclassified. While the existence of commercial classification systems in use outside of a government context may be mentioned, it’s not as common to see a commercial information classification system presented.

In this article, I shall present to you a commercial information classification system that you can use to help plan your web application’s security standards based upon information sensitivity considerations. It is the system that I have developed for use with my own clients and have presented on publicly as part of my series on how a Ruby developer can help prevent a data breach.

Government vs Security - Schneier Explains


We’ve been hearing a lot recently about law enforcement officials upset over the so-called “going dark” problem, with Apple and Google implementing stronger encryption solutions for their mobile platforms. These government organizations are arguing that by making encryption easy to use and unbreakable, Apple and Google will help criminals escape from justice by impeding investigative work.

“You can’t build a backdoor that only the good guys can walk through.”

As security-focused developers, we discuss these issues quite often at Rietta. Sometimes it is difficult to articulate our opinions on the subject, but luckily Bruce Schneier’s post on the subject does a superb job of laying out the major considerations along with supporting evidence, which is well worth a read.

“… let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.”

The essential takeaway is that providing a way for the government to legitimately access the data means there is also a way for the various bad guys of the world to access it as well. At the end of the day, the goal is to protect people from harm. Unbreakable encryption can certainly help with that, but sometimes-breakable encryption usually can’t.

Raspberry Pi Crypto Key Management Project!


A few months ago I bought a Raspberry Pi B to experiment with, but sadly my day job as a Ruby developer keep me busy enough that it just sat on the shelf unused until this last weekend. For those not yet in the know, the Raspberry Pi is an excellent little complete computer system on a small circuit board that uses very low power and looks like this:

My Raspberry Pi booting for the First Time!

Software Security Is a Moral Duty


All too often robust security is put off because the cost of prevention is felt upfront and the cost of breach is to realized at an uncertain future time and mostly by third parties. In the name of saving money, organizations continue to run out of date operating systems, reject appropriate strong encryption systems, fail to deploy sufficient network security, and refuse to employ and empower appropriate security staffs. In the end, security is seen as an expense to be minimized as part of a risk management program. But there is another way.

Learn How Upworthy Scaled a Ruby on Rails Application to Serve Massive Traffic


Luigi Montanez is the founding engineer of the viral content website http://upworthy.com and in this ATLRUG talk from July 9, 2014, he gives a fascinating insight into one approach to managing the growth of a startup’s web app in the face of very high traffic. Their backend is built upon Ruby on Rails with an effective use of the Fastly CDN to deliver very high performance at scale.

New OpenPGP Key, 0xC004BAE3 (2014)


After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit DSA to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprints and update your OpenPGP keychain accordingly.

The following is my digitally signed transition statement, notice that it is signed with both my new and old key pairs. My old key is un-compromised and will remain valid for a period of time.

Introduction to OpenPGP: Decrypt This Message


If you have been following the news in light of the revelations of the NSA domestic surveillance program, which is probably unconstitutional in the United States but in practice is being permitted by the courts, then you should know something about the encrypt everything movement and Google’s End-to-End project, which is to add OpenPGP to the Chrome web browser. If this is new to you, this fun challenge will help you get started with what you need to decrypt a message with GnuPG!

Introduction to OpenPGP: Decrypt this Message