Reasons to Avoid Mcrypt (opens in new tab)

(appsec.solutions)

16 pointsearthrise11y ago4 comments

4 comments

4 comments · 2 top-level

jmspring11y ago· 1 in thread

So, the arguments I see are:

- abandonware (fine), bugs, yes, but doesn't invalidate the case if you know the library and the warts

- design flaws make it hard to write correct code, it's crypto, you better know what you are doing regardless of the library

- algorithm identifies are confusing, see point above.

sarciszewski11y ago

From the article:

    Although it's possible to provide a relatively secure cryptography
    library that builds on top of mcrypt (the earlier version of
    defuse/php-encryption did), switching your code to openssl will
    provide better security, performance, maintainability, and
    portability.

The argument here isn't that mcrypt is doomed/inherently vulnerable, it's two-fold:

1. OpenSSL is a better choice, especially if you're an average PHP developer who is ignoring cryptographers' advice not to deploy your own crypto implementations

2. If a critical bug is found in libmcrypt, since nobody is maintaining it anymore, it is unlikely to get fixed. You are much safer using a library where patches are still being merged.

I hope this makes more sense.

smileysteve11y ago· 1 in thread

As a note, Laravel 4.2 uses mcrypt by standard. openssl is an option

sarciszewski11y ago

https://github.com/bcit-ci/CodeIgniter/blob/3a9eb39f61b10b3f...

CodeIgniter prioritizes OpenSSL over Mcrypt. I swear I did not tip their devs off before I wrote it, Andrey Andreev must have come to a similar conclusion on his own.

j / k navigate · click thread line to collapse

4 comments

4 comments · 2 top-level

jmspring11y ago· 1 in thread

So, the arguments I see are:

- abandonware (fine), bugs, yes, but doesn't invalidate the case if you know the library and the warts

- design flaws make it hard to write correct code, it's crypto, you better know what you are doing regardless of the library

- algorithm identifies are confusing, see point above.

sarciszewski11y ago

From the article:

    Although it's possible to provide a relatively secure cryptography
    library that builds on top of mcrypt (the earlier version of
    defuse/php-encryption did), switching your code to openssl will
    provide better security, performance, maintainability, and
    portability.

The argument here isn't that mcrypt is doomed/inherently vulnerable, it's two-fold:

1. OpenSSL is a better choice, especially if you're an average PHP developer who is ignoring cryptographers' advice not to deploy your own crypto implementations

2. If a critical bug is found in libmcrypt, since nobody is maintaining it anymore, it is unlikely to get fixed. You are much safer using a library where patches are still being merged.

I hope this makes more sense.

smileysteve11y ago· 1 in thread

As a note, Laravel 4.2 uses mcrypt by standard. openssl is an option

sarciszewski11y ago

https://github.com/bcit-ci/CodeIgniter/blob/3a9eb39f61b10b3f...

CodeIgniter prioritizes OpenSSL over Mcrypt. I swear I did not tip their devs off before I wrote it, Andrey Andreev must have come to a similar conclusion on his own.

j / k navigate · click thread line to collapse