Onetime Password plugin for rails
Do you blog from friends computers or the internet cafe?
I do not.
I am too much afraid that there is some sort of malware installed that will grab my password. To overcome this problem, I wrote a small onetime password (otp) system for my bewiso content management software.
As the name says, an onetime password can only be used one time; then it is invalid and not usable to unlock your account anymore. While this is great against shoulder surfing, it does not protect you from malware that takes over your current authenticated connection.
There are two scenarios. In the first one, the attacker is able to read and write to your internet connection. This is very easy on public hotspots and doable more or less anywhere between your computer and the computer that you are talking to. You can protect your connection by using encryption and digital certificates to make sure that nobody is able to tamper with your data. That works.
In the second scenario, the malware or attacker has controll over your computer. In this case, the encryption will not help you much, as the attacker is able to read an write data before it gets crypted. Imagine you want to add a new post to your blog and the attacker changes the request from something like https://yourhost/new_article to https://yourhost/delete_all_articles . The result would be that all your post are deleted. Not good.
It is very hard to protect against such a thread, as your blog-server has no way of knowing whether you made the request or if your computer did it without you being aware of it.
Because of this problem, I wrote some additional code for the plugin that enables you to exclude some of the actions in your controller from being available during an onetime password session.
If you add something like
include OnetimepasswordSystem
before_filter :no_otp_session, :except => [:logout,:index]
to your controller, it will prevent all actions except 'logout' and 'index' to be available during an otp session.
Get version 0.1 of my plugin here: onetimepassword plugin v0.1
In case you have problems using the plugin, please contact me or use the comment system.
btw: I am aware that requests that change anything on a server, should be in the 'post' format and that there should be some protection against csrf in place, but this is out of the scope of this article.
onetime password ruby ruby on rails security otp
