lastest work towards the secure_compare tutorial

2013-08-18 20:10:36 -04:00
parent 3c7a3fc9e4
commit bc74edf28d
2 changed files with 6 additions and 4 deletions
@@ -37,7 +37,7 @@ class User < ActiveRecord::Base
 =begin
  # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
  def self.authenticate(email, password)
-       user = find_by_email(email) || User.new(:password => '')
+       user = find_by_email(email) || User.new(:password => "")
        if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
          return user
        else
@@ -16,7 +16,9 @@
          </div>
          <div class="accordion-body in collapse" id="collapsePwdOne" style="height: auto;">
            <div class="accordion-inner">
-              
+				<p class="desc">
+              A timing attack can exist in several forms. This specific case relates to username (email address) enumeration. By leveraging an automated tool, an attacker can review any subtle variation in response times after submitting a login request to determine if the application is performing a computationally intense function. Meaning, if a function is run once a user is discovered, even if the password is incorrect, this information provides the user with valid or invalid usernames.
+				</p>
            </div>
          </div>
        </div>
@@ -59,11 +61,11 @@
          <div class="accordion-body collapse" id="collapsePwdFour" style="height: 0px;">
            <div class="accordion-inner">
 				<p class="desc">
-				
+					Test
 				</p>	
             </div>
          </div>
        </div>
      </div>
    </div>
-  </div>
+</div>