Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
(16:30:36) Jörn: I love that Django implements the one-and-only good csrf protection out-of-the-box
(16:31:30) Jörn: spent a lot of time researching web application security two years ago, when most had no idea about CSRF, or used really bad workarounds to protect against it
(16:32:10) Paul McLanahan: yeah
(16:32:17) Jörn: at a java user group meeting here in Cologne, a java security guy had barely heard of it, and pretended that its not a realworld issue...
(16:32:22) Paul McLanahan: there was a lot of discussion on the django-dev list about that one
(16:32:29) Paul McLanahan: ha!
(16:32:59) Paul McLanahan: yeah... though I imagine it's hard to be a "security" guy these days.... new techniques are in constant development
(16:33:20) Jörn: I was like "dude, I spent the last three months reading on this stuff. its in the OWASP top 3, and you never heard of it?"
(16:33:31) Paul McLanahan: yeah.. that's pretty bad
(16:34:19) Jörn: ever seen a md5-troll in action?
(16:34:25) Paul McLanahan: nope
(16:34:35) Jörn: random blog post about using md5 to hash passwords instead of storing them in plaintext
(16:34:49) Jörn: md5-troll comments: DON'T USE MD5, TOTALLY UNSAFE
(16:34:57) Paul McLanahan: oh.. haha.. yeah
(16:35:03) Jörn: and that's it, no mention why it is unsafe (or even in which context), or what to use instead
(16:35:04) Paul McLanahan: I have seen that
(16:35:25) Paul McLanahan: thought you meant some new md5 tech... haha
(16:35:27) Jörn: also applies to any other algorithm
(16:36:19) Paul McLanahan: yeah... due to exactly stuff like that, I've seen a lot of bloggers choosing to turn comments off
(16:36:20) Jörn: like SHA-1
(16:36:24) Jörn: totally unsecure
(16:36:27) Paul McLanahan: interesting
(16:36:38) Jörn: of course SHA-256 is bad, too
(16:36:41) Paul McLanahan: yeah... all encryption and hashing is insecure
(16:36:48) Paul McLanahan: given enough time and computers
(16:36:50) Jörn: yeah
(16:37:13) Jörn: but the thing is, in the context of password hashing, as long as you use a long salt, md5 is totally fine
(16:37:21) Paul McLanahan: yup
(16:37:27) Jörn: its just a bad choice if you use md5 to protect your certificates
(16:37:47) Paul McLanahan: and I like that Django's startproject generates a good salt for you
(16:37:51) Paul McLanahan: SECRET_KEY
(16:38:01) Jörn: so md5-troll reads about md5 being bad for certificates, then extrapolates it must be bad for everything else
(16:38:10) Paul McLanahan: yup
(16:38:10) Jörn: the salt is SECRET_KEY?
(16:38:12) Jörn: :p
(16:38:24) Paul McLanahan: it's something you can use for a salt
(16:38:42) Paul McLanahan: and it's what the contrib.auth app uses I believe
(16:38:47) Jörn: ah, nice
(16:39:23) Jörn: that's really the only approach to good security - build it into the tools and frameworks
(16:39:30) Paul McLanahan: yup
(16:39:34) Jörn: make it the default
(16:39:35) Paul McLanahan: otherwise people won't do it
(16:39:56) Paul McLanahan: yup... which is why CSRF protection is enabled by default in Django 1.2+
(16:40:32) Paul McLanahan: also nice is built-in support for signed cookies
(16:40:53) Jörn: and as long as you use the models/db modules, I guess its hard to produce a sql-injection hole
(16:41:11) Paul McLanahan: hard, but not impossible
(16:41:20) Paul McLanahan: still have to be vigilant about user input
(16:41:25) Paul McLanahan: but it's easier to do that
(16:41:47) Jörn: ah, never got to study signed cookies - didn't ever see a java framework with built-in support, a shame really
(16:42:32) Paul McLanahan: XSS is also easy to prevent in Django as nearly all template variables are escaped automatically
(16:42:50) Paul McLanahan: you have to tell it not to escape if you're sure you don't need it
(16:45:09) Jörn: that's great
(16:45:20) Jörn: is there some tool/lib for whitelisting html input?
(16:45:38) Paul McLanahan: I believe so
(16:45:48) Jörn: something where you specify which tags and attributes are allowed, and it rejects everything else
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment