La Place de l'Eglise (1866) - Johan Barthold Jongkind

Securing webhooks

In this post, I will focus on the rationale behind some popular webhook security methods and will try to explain them in simple terms. 1. Basics Risks and Measures 1.1. Webhooks can be set to leak data silently Let’s assume you are a webhook provider and an attacker compromises the credentials of one of your clients. If your platform doesn’t notify users when a webhook is created or updated - the attacker can create a webhook silently and start leaking data without alerting anyone....

September 18, 2022 · 7 min · Serhat M. Dündar
La Cote Saint Andre (1880) - Johan Barthold Jongkind

Deconstructing and understanding an SSL certificate

Checking SSL certificates on a browser is easy. Just click the green lock icon and you’re good to go. But what if doing the same in a more hacker way? This is where openssl comes into play. Let’s start by checking the SSL certificate of this website: openssl s_client -connect www.serhatdundar.com:443 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA depth=1 C = US, O = DigiCert Inc, OU = www....

January 25, 2022 · 8 min · Serhat M. Dündar
Road near La Cote-Saint-Andre (1885) - Johan Barthold Jongkind

Storing passwords in a database: hashing, salts, and peppers

“How do you store passwords in a database”? A very common question for back-end-oriented interviews. After conducting hundreds of technical interviews on different levels, I can confidently say around 50% of the candidates can’t answer this question. The most common answer I often got is “there is a package/gem/library we use, and it manages the password part”. Well, yes, frameworks, libraries, and packages cover most of the complexity nowadays, but I don’t accept this as an excuse for not being curious about essentials....

January 24, 2022 · 5 min · Serhat M. Dündar
Bords de riviere (1868) - Johan Barthold Jongkind

A primitive hashing function in Go

Cryptographic hash functions are complex mathematical calculations. Therefore understanding them requires a considerable amount of time and patience. However, they all have things in common: an input, a cryptographic algorithm, and an output. Recently, I had a chance to study some popular cryptographic hash functions, such as MD5 and SHA-1, and tried to understand how they really work. Wikipedia pages I linked include a considerable amount of information already, and more can be found online, but what I want to do was understand similarities between them and write my own primitive hashing function in Go....

January 23, 2022 · 4 min · Serhat M. Dündar
Paysage a la Côte Saint-Andre (1886) - Johan Barthold Jongkind

SSL/TLS handshake, hybrid encryption and public key infrastructure (PKI)

Hybrid Encryption: Symmetric and Asymmetric Encryption Combined Both symmetric and asymmetric encryption has advantages and disadvantages. So, which one should we use? Well, nowadays we often use them together. Asymmetric encryption is often used to exchange private keys between parties securely. In other words, parties who would communicate establish an asymmetric encryption protocol in the beginning just to exchange private keys. When the private key exchange is completed, they keep communicating by using symmetric encryption - which is faster than asymmetric encryption....

January 22, 2022 · 6 min · Serhat M. Dündar
Rue A Saint-Parize-Le-Chatel, Pres De Nevers (1862) - Johan Barthold Jongkind

Symmetric and asymmetric encryption

Symmetric Encryption (Private Key Cryptography) In symmetric encryption only a single key, in other words, a private key is used to encrypt and decrypt a message. Symmetric encryption is also known as “Private Key Cryptography” as the whole encryption is only based on a private key. Some popular symmetric encryption algorithms are: Algorithm Cipher Key Size Block/State Size Popularity Notes AES Block 128, 192, or 256 bits 128 bits 1 The best one....

January 21, 2022 · 13 min · Serhat M. Dündar
Landscape with Man on a Donkey (1849) - Johan Barthold Jongkind

Encrypting sensitive data with Rails

The most recent versions (5.1 and 5.2) of Ruby on Rails has shipped with a new feature named as encrypted credentials which replaces the secrets.yml, and enables you to keep sensitive data in an encrypted file named as config/credentials.yml.enc. However, this feature only works with a single file that is config/credentials.yml.enc. Recently we needed to add some data in our repository, which we wanted to keep as encrypted, but that also didn’t really fit into the credentials....

October 1, 2018 · 2 min · Serhat M. Dündar