On Friday, March 1, 2013 10:02:05 PM UTC, Leo Dirac wrote: > The Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html > has a fairly embarrassing anachronism in it. In section 2.2 on Session ids > it reads > > > To date MD5 is uncompromised, but there have been collisions, so it is > theoretically possible to create another input text with the same hash value. > > > > Security experts know that MD5 is at this point deeply flawed and > untrustworthy for any cryptographic purpose. While I believe this > reassurance in the guide was true as of the time of writing, it is now > several years out of date and simply incorrect. > > Fortunately, rails no longer actually relies on MD5 for session ids, I > believe since this commit in 2008. > > I have tried a couple of times to contact Heiko Webers, at 42 {_et_} > rorsecurity.info, requesting that he update the document. But I have gotten > zero response from him since I first tried over 6 months ago. Can somebody > please step up and update this document to reflect the current reality? I'd > also recommend changing the note at the top about who is the current > maintainer of this document. > >
With the default cookie store the cookie value is the session data so what becomes important is the cookie signing which I believe is a sha1 hmac by default) The rails guides (and all the docs in general) are managed via https://github.com/lifo/docrails Open a pull request there and someone from the docs team will review it (and then generally give you commit rights). Docrails and rails itself are then synced periodically. Fred. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/nMWB0KXnWrcJ. For more options, visit https://groups.google.com/groups/opt_out.
