|
|
|
|
|
|
by CiPHPerCoder
3623 days ago
|
|
|
I'm the person who published this advisory to oss-sec and a co-author of https://github.com/defuse/php-encryption I also wrote https://github.com/paragonie/halite which is a PHP library aims to make libsodium incredibly easy for PHP developers to get right. For systems that need asymmetric crypto and can't install libsodium, I also wrote https://github.com/paragonie/EasyRSA which side-steps a lot of the mistakes developers make. EasyRSA uses defuse for symmetric-key encryption, then encrypts the AES key with RSA. Writing secure cryptography isn't trivial. Assuming the three projects I just linked to are secure enough to use (all indications point to: they are), there's literally no reason to reinvent the wheel solely for Magento. Magento already uses Composer; they could just add them to their composer.json file and rewrite their routines to use defuse + maybe EasyRSA if they have a use case for it. Zend\Crypt is also an acceptable choice, as long as you don't install the version with an RSA implementation vulnerable to padding oracle attacks. https://framework.zend.com/security/advisory/ZF2015-10 |
|
|