[Rails] Re: Security Guide needs maintenance

Ruby on Rails Saturday, March 2, 2013

On Friday, March 1, 2013 10:02:05 PM UTC, Leo Dirac wrote:
> The Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html has a fairly embarrassing anachronism in it.  In section 2.2 on Session ids it reads 
>
>
> To date MD5 is uncompromised, but there have been collisions, so it is theoretically possible to create another input text with the same hash value.
>
>
>
> Security experts know that MD5 is at this point deeply flawed and untrustworthy for any cryptographic purpose.  While I believe this reassurance in the guide was true as of the time of writing, it is now several years out of date and simply incorrect.
>
> Fortunately, rails no longer actually relies on MD5 for session ids, I believe since this commit in 2008.
>
> I have tried a couple of times to contact Heiko Webers, at 42 {_et_} rorsecurity.info, requesting that he update the document.  But I have gotten zero response from him since I first tried over 6 months ago.  Can somebody please step up and update this document to reflect the current reality?  I'd also recommend changing the note at the top about who is the current maintainer of this document.
>
>

With the default cookie store the cookie value is the session data so what becomes important is the cookie signing which I believe is a sha1 hmac by default)
The rails guides (and all the docs in general) are managed via https://github.com/lifo/docrails

Open a pull request there and someone from the docs team will review it (and then generally give you commit rights). Docrails and rails itself are then synced periodically.

Fred.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/nMWB0KXnWrcJ.
For more options, visit https://groups.google.com/groups/opt_out.

Posted by Ruby on Rails at 1:15 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)