Friday, March 1, 2013
The Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html has a fairly embarrassing anachronism in it. In section 2.2 on Session ids it reads
To date MD5 is uncompromised, but there have been collisions, so it is theoretically possible to create another input text with the same hash value.
Security experts know that MD5 is at this point deeply flawed and untrustworthy for any cryptographic purpose. While I believe this reassurance in the guide was true as of the time of writing, it is now several years out of date and simply incorrect.
Fortunately, rails no longer actually relies on MD5 for session ids, I believe since this commit in 2008.
I have tried a couple of times to contact Heiko Webers, at 42 {_et_} rorsecurity.info, requesting that he update the document. But I have gotten zero response from him since I first tried over 6 months ago. Can somebody please step up and update this document to reflect the current reality? I'd also recommend changing the note at the top about who is the current maintainer of this document.
Cheers,
Leo
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/5ovxlGSZFRUJ.
For more options, visit https://groups.google.com/groups/opt_out.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment