Depending on the nature of your application, keep in mind that both MerbAuth and restful auth use SHA1 for hashing, which was broken 3 years ago by collision.
SSL, which most providers use MD5 for hashing was also broken and it's proven that you can create repeatable collisions at will and it's only a matter time until the same is true for SHA1 as more studying is being done in China. Just some things to keep in mind when thinking about the security of your application. On Feb 3, 8:33 am, Ken Hudson <[email protected]> wrote: > Hi Rob, > > Thanks for the reply and the suggestions. I agree that both of your > ideas are viable alternatives. I am just concerned because down the > road there will be major conversion work with either choice (Merb -> > Rails3 or RestfulAuth -> MerbAuth). In either case, there could be > serious application downtime or disruption. It's kind of cool and fun > to have tools that are constantly changing and improving but the > downside (the big downside) is that these changes can impact my > customers in a negative way - at least short term. Keeping my > customers happy is my primary consideration so the Rails "lets change > everything several times a year" approach is challenging and in this > case very frustrating. > > In addition to your suggestions, I think there is a 3rd alternative. > I could also use Authlogic now and use Authlogic post Rails3. Of > course, this will only work if Authlogic is upgraded for Rails3 and > continues to be supported after that. Ben Johnson (the author of > Authlogic) really seems committed and dedicated to this project so I > feel pretty confident that this alternative would be a viable choice. > There is an element of risk though. However, I guess that's true with > any of the choices. :-) > > Thanks, Ken > > On Feb 3, 2009, at 12:23 AM, Rob Kaufman wrote: > > > Hi Ken, > > The timing isn't perfect, but I see two really workable solutions: > > > One is to do you're project in Merb. The migration path from Merb > > to Rails 3 doesn't look any harder than from Rails 2 to Rails 3 > > (according to my magic 8 ball of course ;-) That way you've got > > you're MerbAuth and you're done. > > > The second way is to go ahead and use RestfulAuth knowing that the > > password hashes are compatible (so you don't loose passwords between > > them) and that you will NOT be alone in trying to migrate down the > > road. > > > Like I said neither is great, but the only thing you can plan for > > with certainty is that change will happen ;-) > > > Rob > > > On Mon, Feb 2, 2009 at 14:34, Ken Hudson <[email protected] > > > wrote: > > Hi Matt, > > > Thanks for the response. > > > Even if MerbAuth is an officially supported plugin for Rails3, I > > still believe it will become the defacto standard. Therefore, I > > will still have the same situation. If I choose > > restful_authentication, Authlogic or any one of the other options > > currently available for my new project I will face the prospect that > > at some point in the future that solution probably won't be > > supported any more because people will transition to the MerbAuth/ > > Rails3 plugin. At that time I'll have to do some sort of disruptive > > migration from whatever I choose now to the Rails3/MerbAuth solution > > or run the risk of serious problems with my solution because of lack > > of support, deprecated features, etc. I really hate to start a new > > project knowing full well that down the road I'm going to have to > > completely gut the authentication (and maybe authorization > > components) to adapt to a new defacto standard. If it were any > > other part of the system maybe this would be OK but you don't really > > want to mess with authentication and authorization in a production > > system that (hopefully) will be used by 10's of thousands of > > people. I'm just trying to figure out if there are any reasonable > > alternatives at this point or if I'm just stuck. It's looking like > > I'm just stuck... I do think this is a serious problem that > > everyone starting a new project from now until the release of Rails3 > > will face, though. If there are any ways to minimize the impact I'd > > certainly like to know what they are. > > > Thanks and best regards, Ken > > > On Feb 2, 2009, at 2:13 PM, Matt Aimonetti wrote: > > >> I've heard MerbAuth will be part of Rails3. > > >> I don't think that will be the case, I would expect MerbAuth to be > >> a plugin for Rails (probably/maybe officially supported by the > >> Rails team) > > >> You might want to check the new wiki for more info on Rails auth > >> solutions:http://newwiki.rubyonrails.org/ > > >> - Matt > > >> On Mon, Feb 2, 2009 at 11:22 AM, Ken Hudson <[email protected]> > >> wrote: > >> Hi all, > > >> I'm starting a new rails project and I'm trying to decide what to > >> use for > >> authentication. Unless I decide to write it myself, I think I have > >> two > >> choices: restful_authentication or authlogic. Here's the dilemma: > >> when > >> Merb and Rails get folded together in Rails3 I've heard MerbAuth will > >> be part of Rails3. I'm hoping my new application will be around > >> for a long period of time and I'm not sure how to approach this. > >> What > >> approach do you all think would be best? > > >> Thanks! Ken --~--~---------~--~----~------------~-------~--~----~ SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby -~----------~----~----~----~------~----~------~--~---
