| Subject: | PROTIP: If you're going to encrypt... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 1 |
|---|
| Author: | Scott Arciszewski |
|---|
| Date: | 2015-12-12 06:36:27 |
|---|
| |
|
|
Scott Arciszewski rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Not sure |
|---|
| Examples: | Not sure |
|---|
|
|
 Scott Arciszewski - 2015-12-12 06:36:27 PROTIP: If you're going to encrypt with MCRYPT_RIJNDAEL_256 (a non-AES variant of Rijndael) using MCRYPT_MODE_ECB (which is the most insecure mode you could choose), you don't need to waste cycles generating an IV. ECB mode doesn't use one.
Also:
- Chosen-ciphertext attacks
- It uses ECB mode, which is a vulnerability in and of itself
- It uses trim(), which means if you try to encrypt raw binary data with this library, it will corrupt it during decryption
According to the other thread http://www.phpclasses.org/discuss/package/4925/thread/1/
"This is a good class and useful for security in data transmission between client and server"
No, this is not a good class and it is NOT useful for security.
Also, don't use rand() to generate an encryption key. Ever. That's a worse decision than, say, using this PHP class in production.
|
