jzaefferer/gist:51d1ddf7016e45bd4296 Secret

## gistfile1.txt

(16:30:36) Jörn: I love that Django implements the one-and-only good csrf protection out-of-the-box
(16:31:30) Jörn: spent a lot of time researching web application security two years ago, when most had no idea about CSRF, or used really bad workarounds to protect against it
(16:32:10) Paul McLanahan: yeah
(16:32:17) Jörn: at a java user group meeting here in Cologne, a java security guy had barely heard of it, and pretended that its not a realworld issue...
(16:32:22) Paul McLanahan: there was a lot of discussion on the django-dev list about that one
(16:32:29) Paul McLanahan: ha!
(16:32:59) Paul McLanahan: yeah... though I imagine it's hard to be a "security" guy these days.... new techniques are in constant development
(16:33:20) Jörn: I was like "dude, I spent the last three months reading on this stuff. its in the OWASP top 3, and you never heard of it?"
(16:33:31) Paul McLanahan: yeah.. that's pretty bad
(16:34:19) Jörn: ever seen a md5-troll in action?
(16:34:25) Paul McLanahan: nope
(16:34:35) Jörn: random blog post about using md5 to hash passwords instead of storing them in plaintext
(16:34:49) Jörn: md5-troll comments: DON'T USE MD5, TOTALLY UNSAFE
(16:34:57) Paul McLanahan: oh.. haha.. yeah
(16:35:03) Jörn: and that's it, no mention why it is unsafe (or even in which context), or what to use instead
(16:35:04) Paul McLanahan: I have seen that
(16:35:25) Paul McLanahan: thought you meant some new md5 tech... haha
(16:35:27) Jörn: also applies to any other algorithm
(16:36:19) Paul McLanahan: yeah... due to exactly stuff like that, I've seen a lot of bloggers choosing to turn comments off
(16:36:20) Jörn: like SHA-1
(16:36:24) Jörn: totally unsecure
(16:36:27) Paul McLanahan: interesting
(16:36:38) Jörn: of course SHA-256 is bad, too
(16:36:41) Paul McLanahan: yeah... all encryption and hashing is insecure
(16:36:48) Paul McLanahan: given enough time and computers
(16:36:50) Jörn: yeah
(16:37:13) Jörn: but the thing is, in the context of password hashing, as long as you use a long salt, md5 is totally fine
(16:37:21) Paul McLanahan: yup
(16:37:27) Jörn: its just a bad choice if you use md5 to protect your certificates
(16:37:47) Paul McLanahan: and I like that Django's startproject generates a good salt for you
(16:37:51) Paul McLanahan: SECRET_KEY
(16:38:01) Jörn: so md5-troll reads about md5 being bad for certificates, then extrapolates it must be bad for everything else
(16:38:10) Paul McLanahan: yup
(16:38:10) Jörn: the salt is SECRET_KEY?
(16:38:12) Jörn: :p
(16:38:24) Paul McLanahan: it's something you can use for a salt
(16:38:42) Paul McLanahan: and it's what the contrib.auth app uses I believe
(16:38:47) Jörn: ah, nice
(16:39:23) Jörn: that's really the only approach to good security - build it into the tools and frameworks
(16:39:30) Paul McLanahan: yup
(16:39:34) Jörn: make it the default
(16:39:35) Paul McLanahan: otherwise people won't do it
(16:39:56) Paul McLanahan: yup... which is why CSRF protection is enabled by default in Django 1.2+
(16:40:32) Paul McLanahan: also nice is built-in support for signed cookies
(16:40:53) Jörn: and as long as you use the models/db modules, I guess its hard to produce a sql-injection hole
(16:41:11) Paul McLanahan: hard, but not impossible
(16:41:20) Paul McLanahan: still have to be vigilant about user input
(16:41:25) Paul McLanahan: but it's easier to do that
(16:41:47) Jörn: ah, never got to study signed cookies - didn't ever see a java framework with built-in support, a shame really
(16:42:32) Paul McLanahan: XSS is also easy to prevent in Django as nearly all template variables are escaped automatically
(16:42:50) Paul McLanahan: you have to tell it not to escape if you're sure you don't need it
(16:45:09) Jörn: that's great
(16:45:20) Jörn: is there some tool/lib for whitelisting html input?
(16:45:38) Paul McLanahan: I believe so
(16:45:48) Jörn: something where you specify which tags and attributes are allowed, and it rejects everything else

	(16:30:36) Jörn: I love that Django implements the one-and-only good csrf protection out-of-the-box
	(16:31:30) Jörn: spent a lot of time researching web application security two years ago, when most had no idea about CSRF, or used really bad workarounds to protect against it
	(16:32:10) Paul McLanahan: yeah
	(16:32:17) Jörn: at a java user group meeting here in Cologne, a java security guy had barely heard of it, and pretended that its not a realworld issue...
	(16:32:22) Paul McLanahan: there was a lot of discussion on the django-dev list about that one
	(16:32:29) Paul McLanahan: ha!
	(16:32:59) Paul McLanahan: yeah... though I imagine it's hard to be a "security" guy these days.... new techniques are in constant development
	(16:33:20) Jörn: I was like "dude, I spent the last three months reading on this stuff. its in the OWASP top 3, and you never heard of it?"
	(16:33:31) Paul McLanahan: yeah.. that's pretty bad
	(16:34:19) Jörn: ever seen a md5-troll in action?
	(16:34:25) Paul McLanahan: nope
	(16:34:35) Jörn: random blog post about using md5 to hash passwords instead of storing them in plaintext
	(16:34:49) Jörn: md5-troll comments: DON'T USE MD5, TOTALLY UNSAFE
	(16:34:57) Paul McLanahan: oh.. haha.. yeah
	(16:35:03) Jörn: and that's it, no mention why it is unsafe (or even in which context), or what to use instead
	(16:35:04) Paul McLanahan: I have seen that
	(16:35:25) Paul McLanahan: thought you meant some new md5 tech... haha
	(16:35:27) Jörn: also applies to any other algorithm
	(16:36:19) Paul McLanahan: yeah... due to exactly stuff like that, I've seen a lot of bloggers choosing to turn comments off
	(16:36:20) Jörn: like SHA-1
	(16:36:24) Jörn: totally unsecure
	(16:36:27) Paul McLanahan: interesting
	(16:36:38) Jörn: of course SHA-256 is bad, too
	(16:36:41) Paul McLanahan: yeah... all encryption and hashing is insecure
	(16:36:48) Paul McLanahan: given enough time and computers
	(16:36:50) Jörn: yeah
	(16:37:13) Jörn: but the thing is, in the context of password hashing, as long as you use a long salt, md5 is totally fine
	(16:37:21) Paul McLanahan: yup
	(16:37:27) Jörn: its just a bad choice if you use md5 to protect your certificates
	(16:37:47) Paul McLanahan: and I like that Django's startproject generates a good salt for you
	(16:37:51) Paul McLanahan: SECRET_KEY
	(16:38:01) Jörn: so md5-troll reads about md5 being bad for certificates, then extrapolates it must be bad for everything else
	(16:38:10) Paul McLanahan: yup
	(16:38:10) Jörn: the salt is SECRET_KEY?
	(16:38:12) Jörn: :p
	(16:38:24) Paul McLanahan: it's something you can use for a salt
	(16:38:42) Paul McLanahan: and it's what the contrib.auth app uses I believe
	(16:38:47) Jörn: ah, nice
	(16:39:23) Jörn: that's really the only approach to good security - build it into the tools and frameworks
	(16:39:30) Paul McLanahan: yup
	(16:39:34) Jörn: make it the default
	(16:39:35) Paul McLanahan: otherwise people won't do it
	(16:39:56) Paul McLanahan: yup... which is why CSRF protection is enabled by default in Django 1.2+
	(16:40:32) Paul McLanahan: also nice is built-in support for signed cookies
	(16:40:53) Jörn: and as long as you use the models/db modules, I guess its hard to produce a sql-injection hole
	(16:41:11) Paul McLanahan: hard, but not impossible
	(16:41:20) Paul McLanahan: still have to be vigilant about user input
	(16:41:25) Paul McLanahan: but it's easier to do that
	(16:41:47) Jörn: ah, never got to study signed cookies - didn't ever see a java framework with built-in support, a shame really
	(16:42:32) Paul McLanahan: XSS is also easy to prevent in Django as nearly all template variables are escaped automatically
	(16:42:50) Paul McLanahan: you have to tell it not to escape if you're sure you don't need it
	(16:45:09) Jörn: that's great
	(16:45:20) Jörn: is there some tool/lib for whitelisting html input?
	(16:45:38) Paul McLanahan: I believe so
	(16:45:48) Jörn: something where you specify which tags and attributes are allowed, and it rejects everything else