On Wed, 24 Jul 2013 09:59:14 -0700, Steve Weis <[email protected]> wrote: > >I skimmed a couple files of this project. It does not inspire confidence.
Hi, I have discussed these issues with the primary developer of Red. > >In 7 lines of encryption code, they unsafely use ECB, don't >authenticate their ciphertext, don't have any comments, don't have any >testing, and have a couple WTF lines like XORing parts of the key with >itself: >https://github.com/friendica/red/blob/master/include/crypto.php#L169 > This is a function which provides MySQL-compatible AES encryption that came from the web. Its only saving grace is that it does MySQL-compatible encryption/decryption. Red no longer needs to maintain compatibility with MySQL encryption. This function is not used *at all* in Red and there are no plans to use it ever. It just has not been removed it yet. >There also might be some SQL injection issues in this file, although I >didn't check it in depth: >https://github.com/friendica/red/blob/master/include/security.php Feel free to check it in depth. It's possible something may be missed (it happens) but this is why we have open source. Help and contributions to the pledgie page are much appreciated. Thank you, > >On Tue, Jul 23, 2013 at 7:45 PM, h0ost <[email protected]> wrote: >> An interesting new project, combining ideas that seem increasingly >> significant in our times (decentralization, privacy via access control >> lists and public key encryption, single-sign on, etc.. >> >> I think they are the core devs that did the Friendica social network a >> few years back, and this is their new project. >> >> https://github.com/friendica/red >-- >Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Waitman Gobble San Jose California USA +1.5108307875 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
