Poll: What do we do with the Encrypter module?
You do not have permission to vote in this poll.
Build it into CI4 core
59.57%
28 59.57%
Doesn't matter to me
25.53%
12 25.53%
Leave it out of the core
14.89%
7 14.89%
Total 47 vote(s) 100%
* You voted for this item. [Show Results]

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[done] Encrypter

#1
CodeIgniter 3 has an Encryption class. This was re-architected for CodeIgniter 4, as a service and with handlers. When the dust settled, we ended up with handlers for OpenSSL & Sodium. The Sodium handler, to remain simple & elegant, needed PHP7.2 and CI4 was based on 7.0 or 7.1 at the time.

In the fall of 2018, we decided to not include our encryption module in CI4, and instead have directed developers to HALite.

Now that CI4 is built on PHP7.2, the question then comes up again ... should we include a simple encryption module in CI4?
What is built, and ready to roll, has a very simple interface:

Code:
interface EncrypterInterface
{
    public function encrypt($data, $params = null);
    public function decrypt($data, $params = null);
}

Parameters include the cipher, digest and encoding to use.

Let us know if you think this belongs in the core, using the poll.
If so, are there other encryption-related features that should be part of the module, such as digital-signing?

----------------------------------------------------
This is a roadmap feature, or "epic", and a card on the roadmap board.
Component tasks will show up as issues or PRs on the development board.
We welcome comments & suggestions below.
James Parry
Project Lead
Reply

#2
I voted doesn't matter to me, but that's not entirely true. It does matter, but at the same time, I think we should be using a major library like halite, rather than building it in. I don't think we need a wrapper over any specific library to include either. Let the encryption be handled by experts dedicated to working with encryption libraries, and have a curated list. Also, not every application necessarily even needs encryption. Why add bloat for something when it's not necessary. I would actually prefer there not to be an included encryption library. I get that for many implementations, encryption is essential, and in those instances, I want to use a library that's curated and has a track record I can look into. I want something that has a dedicated team of developers focusing on just that.
Reply

#3
I think encryption is a complex but such an essential module that it must be included in the core. Sure, there are valid and compelling reasons to use a library but not everyone has the skills/security knowhow to setup encryption properly. Much better to have it included by default and documented then allow everyone to cook up their own implementation.

You can look at the deprecation of mcrypt in PHP 7.0 as an example. There are a lot of programs that remain stuck on PHP 5.6 because no built in encryption module was provided in PHP 7.0.

Encryption should be provided by default because not everyone is a security expert.
Reply

#4
Please forgive my ignorance, but what are all these uses of encryption that everyone keeps referencing (and that apparently not doing but should be)? I encrypt user passwords and that’s about it, and that with pretty basic code from Stackflow.
My general library philosophy is include it if the upkeep is worth time it saves the user. I’m not worried so much about bloat in CI because everything is added modularly, so having the library doesn’t affect people who won’t use it.
Reply

#5
My two cents...

While I feel that encryption is important, I feel that it does not need to be in the CORE. Keeping the CI CORE light is what I feel will keep CI fast and efficient. Make it an addon or library instead of a CORE function.
Reply

#6
(03-24-2019, 11:31 AM)MGatner Wrote: Please forgive my ignorance, but what are all these uses of encryption that everyone keeps referencing (and that apparently  not doing but should be)? I encrypt user passwords and that’s about it, and that with pretty basic code from Stackflow.
My general library philosophy is include it if the upkeep is worth time it saves the user. I’m not worried so much about bloat in CI because everything is added modularly, so having the library doesn’t affect people who won’t use it.

If you're encrypting user passwords, you're doing it very very wrong. Passwords need to be hashed and not encrypted.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#7
Well I’m using password_hash so I assume I’m doing what you want me to be doing, but I guess I didn’t know that wasn’t encryption. So what else are people encrypting?
Reply

#8
(03-25-2019, 04:14 AM)MGatner Wrote: Well I’m using password_hash so I assume I’m doing what you want me to be doing, but I guess I didn’t know that wasn’t encryption. So what else are people encrypting?

Encrypting and hashing are 2 very different things. It's imperative developers understand this to build secure authentication systems.

Encrypting something means it can be decrypted. Hashing is one way.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#9
Also, there should be a 3rd option to this poll which is "Leave it out of the core" which would be my vote.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply

#10
@albertleao Good idea - I have added that third option. My bad that I didn't think of it earlier!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.