@bascule looks like it https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb#L31 … is that bad?
Does ActionController::Session::CookieStore really default to using SHA1? SHA1 is "not recommended for new projects"
-
-
-
@markov_twain it's not good, heh. Should probably be SHA256 at least -
@bascule wikipedia sez sha1 is good for verifying data integrity, bad for security — seems like cookies only need the former. am I wrong? -
@markov_twain cryptographic best practices would suggest upgrading at this point
End of conversation
New conversation -
-
-
@bascule I'd send in a PR to change the default to SHA256 but I feel like I need a more convincing argument than "Tony says so"Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule I think the idea is that it doesn’t matter how strong it is?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule rails is hardly a "new project"Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.