[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Abbas Naderi abiusx at owasp.org
Wed Nov 25 18:42:17 UTC 2015


Jim,
The purpose of this library is to replace a plain-text password with an slightly harder to read equivalent.

There is no way to totally remove a plain-text password from the source code. It is eventually needed to connec to a server or other place. This library just adds one step around this, making it impossible
for the over-the-shoulder looks to steal the password. That’s all. I don’t see any security risks with it! If you do, please point them out to me.

Also it has nothing to do with cryptography. Just because it uses encryption as a means of masking, does not make it a crypto library. As I mentioned before, these gentlemen are confused just because the class name is “Encryption”. In that case, renaming the class name is all that we need.

Regards
-Abbas


> On Nov 25, 2015, at 1:39 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
> > They are not trolling? Then how come we had this conversation with two of them a few days ago, 
> and when they didn’t find the result they were seeking, they just added 4-5 more friends to repeat the same arguments on the same issue thread on github?
> I call that trolling.
> 
> Some may call it seeking more expert opinions....
> 
> > What do you mean they are leaders in applied cryptography? 
> 
> Several of these gentlemen work on various standards, actually. My understanding is that you have significant expertise in this area as well, so I'm listening. :)
> 
> > The library then replaces that password with an encrypted version with a key that is hardcoded. The only purpose is to mask the password so that it is not leaked by a quick look at the code (e.g presentations, etc.)
> 
> Hard coding a password or key in a security library does not seem reasonable, what I am I missing? Shouldn't this be configurable or more?
> 
> - Jim
> 
> On 11/25/15 8:35 PM, Abbas Naderi wrote:
>> They are not trolling? Then how come we had this conversation with two of them a few days ago, 
>> and when they didn’t find the result they were seeking, they just added 4-5 more friends to repeat the same arguments on the same issue thread on github?
>> I call that trolling.
>> 
>> What do you mean they are leaders in applied cryptography?
>> 
>> Technical details:
>> We have a library in the code, the role of which is to mask sensitive information. The developers have to use it specifically, e.g
>> 
>> sensitive_information(“this is my password”).
>> 
>> The library then replaces that password with an encrypted version with a key that is hardcoded. The only purpose is to mask the password so that it is not leaked by a quick look at the code (e.g presentations, etc.)
>> 
>> Unfortunately the library is named Encryption instead of sensitive_information, although the function is named confidentialString. 
>> 
>> Their proposed solution is to remove the library. Mine is to rename the library. They agree with my solution but don’t agree with doing it, they just want the entire library brought down.
>> 
>> What part of that sounds logical to you?
>> 
>> -Abbas
>> 
>> 
>>> On Nov 25, 2015, at 1:31 PM, Jim Manico < <mailto:jim.manico at owasp.org>jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>> 
>>> Abbas,
>>> 
>>> I know these gentlemen well, and I read their comments. I do not feel these are trolls (at all). In fact, they are leaders in applied cryptography. No one is saying these things to hurt you or hurt OWASP, they are genuinely concerned and are trying to help.
>>> 
>>> But by all means, if you feel these comments are not accurate, would you care to discuss some of the details on list here? This could lead to good technical discussion.
>>> 
>>> Aloha,
>>> -- 
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org <https://www.owasp.org/>
>>> 
>>> 
>>> On 11/25/15 8:20 PM, Abbas Naderi wrote:
>>>> They are trying to troll the project.
>>>> Read the thread at  <https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446>https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 <https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446> to realize that.
>>>> We have provided ample opportunity for them to contribute, fix, or help the project.
>>>> All they want is to take the project down, which I obviously refuse.
>>>> 
>>>> I don’t think it really hurts OWASP reputation. If anyone delves into the technical discussions that would be apparent.
>>>> Regards
>>>> -Abbas
>>>> 
>>>>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel < <mailto:johanna.curiel at owasp.org>johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>>>> 
>>>>> Hi Erlend
>>>>> 
>>>>> We are aware of the issues and remediation is underway ;-)
>>>>> 
>>>>> regards
>>>>> 
>>>>> Johanna
>>>>> 
>>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico < <mailto:jim.manico at owasp.org>jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>> Yup, it's bad.
>>>>> 
>>>>> Johanna Curiel and Claudia are leading the charge here. They are in the process of fully removing the project from GitHub. As in, right now…
>>>>> 
>>>>> - Jim
>>>>> 
>>>>> 
>>>>> 
>>>>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org <mailto:erlend.oftedal at owasp.org> wrote:
>>>>>> Hi
>>>>>> 
>>>>>> See  <https://twitter.com/voodooKobra/status/669537889500311553>https://twitter.com/voodooKobra/status/669537889500311553 <https://twitter.com/voodooKobra/status/669537889500311553> and the link in that message. 
>>>>>> 
>>>>>> According to the OWASP website the project is inactive, yet contributions are made on github, and there are no signs of the project status on github.
>>>>>> The crypto code is bad, as voodooKobra rightly points out. With a known key and iv, this encryption is useless.
>>>>>> And the code is referenced from stackoverflow++.
>>>>>> 
>>>>>> When deactivating a project we need to make sure the deactivation is clearly visble on github as well.
>>>>>> 
>>>>>> Best regards
>>>>>> Erlend Oftedal
>>>>>> OWASP Norway
>>>>>> @webtonull
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>> 
>>> 
>> 
> 
> -- 
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org <https://www.owasp.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/274a8312/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/274a8312/attachment-0001.bin>


More information about the OWASP-Leaders mailing list