Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hi, my name is Scott Arciszewski and I am a web programmer and security researcher.
- Last week I opened a [url=https://github.com/opencart/opencart/pull/1594]github issue[/url] to raise awareness that the encryption library isn't secure. To wit: it's using ECB mode instead of CBC and ciphertexts are not authenticated; additionally, the wrong MCRYPT constant is used (AES is MCRYPT_RIJNDAEL_128 even if a 256-bit key is provided).
- The response I received from Daniel Kerr was less than professional (screenshots for the sake of preserving history):
- [img]https://scott.arciszewski.me/public/gmail-ss.png[/img]
- [img]https://scott.arciszewski.me/public/github-ss.png[/img]
- [b]What does this mean for OpenCart users?[/b]
- It means that the owner of OpenCart does not welcome well-meaning security enhancements from volunteers on github, and I would strongly encourage everyone to read the code carefully before they use it in a production system, because if the core developer has an unwelcoming attitude towards security researchers, two things will happen:
- 1. Security holes that might have otherwise been fixed will remain open.
- 2. Jaded security researchers might focus their efforts on exploiting holes rather than fixing them, out of spite.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement