To those writing programming language benchmarks: Stop benchmarking rand(). You are hurting security by penalizing default CSPRNG use.
-
-
Oh and btw, 1ms of overhead means you can only ever get 1000 requests per second if everything else takes 0 time. Which makes frameworks like rails look "ridiculously slow" because of the fallacy of measuring "requests per second" rather than "acceptable overhead"
-
And no, I don't think the answer is for rails to have to a turbo benchmark mode that turns off security. People would press the button for no reason "because perf" and make tons of vulnerable apps.
-
So, a "move fast and break things" button. I like it

End of conversation
New conversation -
-
-
I don't understand where 1ms comes from. If you authenticate a ~100b cookie with hmac(sha1), it should take microseconds. bcrypt is only relevant for password storage (session establishment), not for any other request.
-
It's a bunch of different things that add up. Also please feel free to write a framework that only uses bcrypt in the "right requests" and establishes a programming model around it.
-
I'm OK with heavyweight frameworks that do lots for you. But I don't think it's right to blame security for a 1ms overhead. I'm not a security expert, tho, so maybe I am missing how bcrypt is supposed to be used. If so, I want to be corrected so I don't write insecure code!
-
I don't think we need to spend a lot of time discussing 1ms of overhead is my point. But there's a lot of security by default in rails: CSRF protection, XSS protection, secure cookies, "strong parameters", various DOS mitigations, etc. It adds up.
End of conversation
New conversation -
-
-
Any web framework not activating security by default and keeping up with the current issues is not worth using. Rails did a great job at that.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Yehuda, count on GDPR - it will panfish rail for such behaviour very well. A lot of people in EU will be eligible for suing rail for such defaults.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.