Can i use this Ci Starter. Is it safe? |
(03-05-2015, 12:43 PM)ivantcholakov Wrote: @Narf I guess I got the wrong impression then, sorry about that. I wasn't specific indeed ... I didn't think I need to be, because you too have no reason to roll your own instead of using CI_Encryption. That alone is a reason enough to dismiss your library, because the first rule in cryptography is "don't roll your own". If I have to be specific - it doesn't use authentication (HMAC), no timing safe comparison, it falls back to mt_rand() for key generation, it has this weird salting algorithm that is wrong on at least 3 levels (including usage of MD5), it has an escapeshellarg() method that has nothing to do with cryptography, the code itself is very unclear and it is obviously designed to encrypt passwords ... which is wrong by default, even if you did provide a very rare use-case for that. Please just delete that library altogether. I mean, if any cryptography expert sees it, you'll be publicly shamed for writing it ... and I mean that on a very large scale, not within the realms of this forum. (03-05-2015, 02:14 PM)ivantcholakov Wrote: I have just added warning notes within the Password library, thank you. https://github.com/ivantcholakov/starter...d4a7a0f74c That's an improvement, I'll give you that ... but if it's called "Password", then encrypt/decrypt methods simply don't belong in it. People make bad decisions every time you give them the chance to, and as I said - that's very dangerous when it comes to security. |
Welcome Guest, Not a member yet? Register Sign In |