David Ziegler's Blog
Month

November 2010

1 post

django-urlcrypt now with RSA

Someone on Reddit pointed out that our url obfuscation method for django-urlcrypt was rather simplistic. We already kind of new this, and that if someone was able to figure out the obfuscation key then they’d be able to decode the urls to get someone’s hashed password. I don’t think that’s the end of the world because the password is still sha1 hashed, but it’s certainly not ideal.

So with 0.1.4 Chris added an option to use RSA to encrypt the url tokens, and we’re not including the hashed passwords as info that we’re encrypting. From the end user’s perspective the only difference is that if the user changes their password, the old links will still be valid.

If you want to use RSA, which is recommended, just add 

URLCRYPT_PRIVATE_KEY_PATH = '/path/to/private_key'

in your settings.

Nov 6, 2010
Next page →
2010 2011
  • January 1
  • February
  • March
  • April
  • May
  • June
  • July 1
  • August
  • September
  • October
  • November
  • December
2009 2010 2011
  • January 1
  • February 1
  • March 1
  • April 1
  • May
  • June
  • July
  • August
  • September
  • October 4
  • November 1
  • December 1
2009 2010
  • January
  • February
  • March 3
  • April 10
  • May 3
  • June 1
  • July 3
  • August 3
  • September 1
  • October 1
  • November 1
  • December 1