[thinkzig]

What led you to say that it was?

Section 5.1 of this whitepaper[1] by Rizzo and Duong, that lists Ruby on Rails as one of the web frameworks vulnerable to this attack.

Granted, this paper was published in May, and I'm not a Rails guy, so it's quite possible this has been patched as well.

[1]http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf

[tptacek]

Their comment about MessageEncryptor is accurate, but I don't believe the bare #encrypt (which could create a vulnerability if exceptions weren't laundered) is used anywhere. Rails sessions are encrypted and then HMAC'd. This pattern isn't susceptable to padding side channels.