[Owasp-board] Fwd: [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 15:47:27 UTC 2015

This is why higher criteria and revision is needed for defender library

See comment of user.


---------- Forwarded message ----------
From: Scott <notifications at github.com>
Date: Wed, Nov 25, 2015 at 11:14 AM
Subject: Re: [phpsec] confidentialString function uses hard-coded key (#108)
To: OWASP/phpsec <phpsec at noreply.github.com>
Cc: owaspjocur <johanna.curiel at owasp.org>

Oh my god OWASP, why are you shipping your own broken cryptography library?


Hey, I heard you like PHP Object Injection from chosen-ciphertext attacks,
because you're not authenticating your ciphertext at all.


I really hope nobody uses this, and instead opts for a sane authenticated
encryption library, such as defuse/php-encryption

Reply to this email directly or view it on GitHub
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/220e9da7/attachment.html>

More information about the Owasp-board mailing list