Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Jan 2016 10:17:27 +0100
From: Bart van Tuil <bvantuil@...argroup.nl>
To: Scott Arciszewski <scott@...agonie.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] It essentially wins crypto vulnerability bingo! gilfether/phpcrypt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't get something:

> 4. https://github.com/paragonie/EasyRSA (reluctantly included for
> people that really believe they need RSA)

...What's, in your opinion ofcourse, the wrong thing about
implementing RSA in a decent web application? PHP is used for much,
much more than building simple frontpages without a backend (where
this might be a senseless complication). RSA is still the way to go
about implementing accessible asymmetrical crypography...

I do agree, wholeheartedly, that building your own cryptographic
primitives is just an expensive way of ultimately fooling yourself.

Just wondering...


All the best,


Bart


<rant>
PS:
All this bashing on PHP really tires me - it's getting old and
redundant. And no - im not a PHP developer.
</rant>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJWnK2nAAoJEEnUI2SRQ818biYH/1uKMFgwvkj2iBax/0NJlNTH
2Tfd6HLjesvaHUUpQGnvlOILszBoULOlzSsbIXkeLAob/nRyMll7MNI1UExzxub2
3tJzmzXenMCT+3en9vCr1eBkEZBCGKWudTLYoEYSanzK1aKr2N4aZEFxYzKWq+fX
v3hZQuqbISnUvk5UzSdpKW8ZHEMdjhdqt9h7q2BH7m/z5o72jHDBkOFpflCRzIu3
xlH0ctxFT1F0C071Dk+I5zdAOnERqM/68wDvJ0fHYmobtKPfMDgu8nSqYyB5LpUK
U1R4zAe/Jpuxkx9DWZb2f0BK7SrZwX9jDs+BPkDZ1tpN6rV2z3toaXtrWjMbwWM=
=o7rc
-----END PGP SIGNATURE-----


This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the   company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.