| Subject: | This Encryption class should NOT be... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 2 |
|---|
| Author: | John Conde |
|---|
| Date: | 2020-06-06 03:20:28 |
|---|
| |
|
|
John Conde rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Insufficient |
|---|
|
|
 John Conde - 2020-06-06 03:20:28 This Encryption class should NOT be used. It is NOT secure and its use would be dangerous to any application that uses it.
When working with encryption the secret key should actually be a secret! Having it hard-coded is a security vulnerability. It's twice as bad that it is the same every time the class is used. It's even worse that the initialization vector (IV) is also hard coded. That should ALWAYS be unique for every piece of information that is encrypted. Hard coding it into the class defeats the purpose of having the IV and significantly weakens the effectiveness of the encryption.
The class properties use the var keyword instead of private/protected/public. This means by default those class properties are public and the "secret" key and "secret" IV can be access by other pieces of code. That is an obvious security vulnerability.
 Naveed urRehman - 2020-06-09 18:47:39 - In reply to message 1 from John CondeThanks for comments, I have change the variable to private. and updated the code file.
|
