Rails - Mar 2013 - Security Guide needs maintenance

The Ruby on Rails Security Guide 
http://guides.rubyonrails.org/security.html has a 
fairly embarrassing anachronism in it.  In section 2.2 on Session ids it 
reads 

To date MD5 is uncompromised, but there have been collisions, so it is
> theoretically possible to create another input text with the same hash 
> value.
>
Security experts know that MD5 is at this point deeply flawed and 
untrustworthy for any cryptographic purpose.  While I believe this 
reassurance in the guide was true as of the time of writing, it is now 
several years out of date and simply incorrect.

Fortunately, rails no longer actually relies on MD5 for session ids, I 
believe since this
commit<https://github.com/rails/rails/commit/b3411ff59eb1e1c31f98f58f117a2ffaaf0c3ff5#diff-4>in
2008.

I have tried a couple of times to contact Heiko Webers, at 42 {_et_} 
rorsecurity.info, requesting that he update the document.  But I have 
gotten zero response from him since I first tried over 6 months ago.  Can 
somebody please step up and update this document to reflect the current 
reality?  I''d also recommend changing the note at the top about who is
the
current maintainer of this document.

Cheers,
Leo

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/5ovxlGSZFRUJ.
For more options, visit https://groups.google.com/groups/opt_out.

On Friday, March 1, 2013 10:02:05 PM UTC, Leo Dirac
wrote:
> The Ruby on Rails Security Guide
http://guides.rubyonrails.org/security.html has a
fairly embarrassing anachronism in it.  In section 2.2 on Session ids it reads 
> 
> 
> To date MD5 is uncompromised, but there have been collisions, so it is
theoretically possible to create another input text with the same hash value.
> 
> 
> 
> Security experts know that MD5 is at this point deeply flawed and
untrustworthy for any cryptographic purpose.  While I believe this reassurance
in the guide was true as of the time of writing, it is now several years out of
date and simply incorrect.
> 
> Fortunately, rails no longer actually relies on MD5 for session ids, I
believe since this commit in 2008.
> 
> I have tried a couple of times to contact Heiko Webers, at 42 {_et_}
rorsecurity.info, requesting that he update the document.  But I have gotten
zero response from him since I first tried over 6 months ago.  Can somebody
please step up and update this document to reflect the current reality?
 I''d also recommend changing the note at the top about who is the
current maintainer of this document.
> 
> 
With the default cookie store the cookie value is the session data so what
becomes important is the cookie signing which I believe is a sha1 hmac by
default)
The rails guides (and all the docs in general) are managed via
https://github.com/lifo/docrails

Open a pull request there and someone from the docs team will review it (and
then generally give you commit rights). Docrails and rails itself are then
synced periodically.

Fred.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/nMWB0KXnWrcJ.
For more options, visit https://groups.google.com/groups/opt_out.