The Ruby on Rails Security Guide
Securing Rails Applications — Ruby on Rails Guides has a
fairly embarrassing anachronism in it. In section 2.2 on Session ids it
reads
To date MD5 is uncompromised, but there have been collisions, so it is
theoretically possible to create another input text with the same hash
value.
Security experts know that MD5 is at this point deeply flawed and
untrustworthy for any cryptographic purpose. While I believe this
reassurance in the guide was true as of the time of writing, it is now
several years out of date and simply incorrect.
Fortunately, rails no longer actually relies on MD5 for session ids, I
believe since this
commithttps://github.com/rails/rails/commit/b3411ff59eb1e1c31f98f58f117a2ffaaf0c3ff5#diff-4in
2008.
I have tried a couple of times to contact Heiko Webers, at 42 {et}
rorsecurity.info, requesting that he update the document. But I have
gotten zero response from him since I first tried over 6 months ago.
Can
somebody please step up and update this document to reflect the current
reality? I’d also recommend changing the note at the top about who is
the
current maintainer of this document.
Cheers,
Leo