Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
RailsConf 2017: The Art & Craft of Secrets: Using the Cryptographic Toolbox by Michael Swieton Picking an encryption algorithm is like choosing a lock for your door. Some are better than others - but there's more to keeping burglars out of your house (or web site) than just the door lock. This talk will review what the crypto tools are and how they fit together with our frameworks to provide trust and privacy for our applications. We'll look under the hood of websites like Facebook, at game-changing exploits like Firesheep, and at how tools from our application layer (Rails,) our protocol layer (HTTP,) and our transport layer (TLS) combine build user-visible features like single sign-on.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk titled "The Art & Craft of Secrets: Using the Cryptographic Toolbox," Michael Swieton discusses the intricacies of cryptographic tools and their significance in establishing trust and ensuring privacy in applications. The session emphasizes that while choosing an encryption algorithm is crucial, effectively integrating various cryptographic components with application frameworks is equally essential to maintaining security. Key points discussed include: - **The Concept of Trust**: Trust is foundational in security; it often stems from a chain of trust that includes users, certificates, authorities, and the environment where transactions occur. - **Authentication and Identity Verification**: Examples illustrate the importance of verifying identity through secure methods like public key infrastructures and the significance of SSL/TLS in maintaining secure channels for authentication. - **Session Management**: The talk explains how user sessions work, emphasizing the need for secure session tokens that can be revoked, highlighting potential vulnerabilities from session hijacking. - **Password Security**: Swieton warns against storing plaintext passwords and discusses the merits of hashing techniques, including complex hashing algorithms like bcrypt that mitigate risks associated with password reuse and data breaches. - **Single Sign-On Mechanisms**: The complexities of implementing single sign-on (SSO) are examined, illustrating how cryptographic operations underlie the trust established between separate systems. - **Real-World Security Breaches**: Anecdotes such as the Firesheep attack are presented to show vulnerabilities when SSL/TLS is not comprehensively applied to all communications within applications. In conclusion, Swieton urges the use of well-audited cryptographic libraries and emphasizes that security is not solely about selecting an algorithm, but rather about understanding and correctly implementing the entire cryptographic framework within applications to protect user trust.
Suggest modifications
Cancel
