I note that Cookiestore signs its data using SHA-1.
I have found this issue regarding this: https://github.com/rails/rails/pull/11677
There it was noted that documentation was updated from SHA512, which would appear to have been considered at one time, to using SHA1 “for compatibility”. SHA-1 is considered a deprecated cryptographic hash. The deprecation of support for SHA-1 certificates by Google in the Chrome browser is an example of proactive deprecation of obsolete algorithms that is generally well accepted by the community. The long term lifespan of a Cookiestore session cookie, coupled with the sensitivity of the session data often stored within it should be considered to amplify the threat.
I was wondering what “compatibility” issues would be present in changing the default hash to SHA-256 for an upcoming rails 5. It’s been supported in OpenSSL for a very long time, which is in turn used to generate this hash. The documentation update was over a year ago, and that only documented an earlier configuration change which I don’t believe to reflect current security practice.
Moreover, that particular PR discusses this as not being configurable. I’ve spent some time trying to get a gem to override it without much success.
Any assistance on towards making this a default, or on how it could be turned into a gem would be appreciated.