Security Guide needs maintenance

The Ruby on Rails Security Guide
Securing Rails Applications — Ruby on Rails Guides has a
fairly embarrassing anachronism in it. In section 2.2 on Session ids it
reads

To date MD5 is uncompromised, but there have been collisions, so it is

theoretically possible to create another input text with the same hash
value.

Security experts know that MD5 is at this point deeply flawed and
untrustworthy for any cryptographic purpose. While I believe this
reassurance in the guide was true as of the time of writing, it is now
several years out of date and simply incorrect.

Fortunately, rails no longer actually relies on MD5 for session ids, I
believe since this
commithttps://github.com/rails/rails/commit/b3411ff59eb1e1c31f98f58f117a2ffaaf0c3ff5#diff-4in
2008.

I have tried a couple of times to contact Heiko Webers, at 42 {et}
rorsecurity.info, requesting that he update the document. But I have
gotten zero response from him since I first tried over 6 months ago.
Can
somebody please step up and update this document to reflect the current
reality? I’d also recommend changing the note at the top about who is
the
current maintainer of this document.

Cheers,
Leo

On Friday, March 1, 2013 10:02:05 PM UTC, Leo Dirac wrote:

I have tried a couple of times to contactHeiko Webers, at 42 {et}
rorsecurity.info, requesting that he update the document. But I have gotten zero
response from him since I first tried over 6 months ago. Can somebody please step
up and update this document to reflect the current reality? I’d also recommend
changing the note at the top about who is the current maintainer of this document.

With the default cookie store the cookie value is the session data so
what becomes important is the cookie signing which I believe is a sha1
hmac by default)
The rails guides (and all the docs in general) are managed via
https://github.com/lifo/docrails

Open a pull request there and someone from the docs team will review it
(and then generally give you commit rights). Docrails and rails itself
are then synced periodically.

Fred.