From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 42083138334 for ; Sat, 4 Aug 2018 14:29:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 93B17E0805; Sat, 4 Aug 2018 14:29:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3B879E07F6 for ; Sat, 4 Aug 2018 14:29:50 +0000 (UTC) Received: from computer (unknown [136.179.21.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: hanno) by smtp.gentoo.org (Postfix) with ESMTPSA id 877B8335CA8 for ; Sat, 4 Aug 2018 14:29:48 +0000 (UTC) Date: Sat, 4 Aug 2018 07:29:47 -0700 From: Hanno =?UTF-8?B?QsO2Y2s=?= To: gentoo-dev@lists.gentoo.org Subject: Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs) Message-ID: <20180804072947.1f9ac221@computer> In-Reply-To: <20180804114328.d4b31c885eba7cb98a1b5fd2@gentoo.org> References: <20180623025046.djmsv44moxuqkv6t@proprietary-killer> <20180625075947.03bd4875@computer> <20180804114328.d4b31c885eba7cb98a1b5fd2@gentoo.org> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/NV7_W3l0BReNc=jUYqIKZ7P"; protocol="application/pgp-signature" X-Archives-Salt: 16081d2e-2e9d-41eb-8f7e-6a204ae89eb5 X-Archives-Hash: 3406ec9531cce18b58d57536efdc345b --Sig_/NV7_W3l0BReNc=jUYqIKZ7P Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On Sat, 4 Aug 2018 11:43:28 +0300 Andrew Savchenko wrote: > Do you have any evidence that mcrypt should not be used? Well, PHP was as far as I'm aware its main user and PHP has declared mcrypt support to be deprecated a while ago. > Symmetric cryptography is quite conservative and it took years and > even decades for algorithms and their implementations to become > trusted, so there is nothing wrong in using good old verified > software. When it comes to cipher modes the fact that people use decades old modes is a problem. See efail for a prominent example, but there are many less prominent ones. Look at the mcrypt webpage: http://mcrypt.sourceforge.net/ Modes of Operation: CBC CFB CTR ECB OFB NCFB That is a mixture of very insecure (ECB), insecure in most situations (all others) and totally obscure modes. It doesn't include any authenticated encryption modes, which in most situations is what you want to use. --=20 Hanno B=C3=B6ck https://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 --Sig_/NV7_W3l0BReNc=jUYqIKZ7P Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn3wfQCCb9MicJwD8dkhfABMwL8oFAltluFsACgkQdkhfABMw L8qKIhAAkuk068hHpQXZH791GrHmMCGApn19QA9zu18CwzGivrj4frZ5rAosdZoZ clJR4GhDvqY103MoJJaJIPGnHw2wUmXaI7NGfpjJCyXgtDwS6rhhFhE+tbGCF4Sy bXCinICoxxvQxtZlUUfbPQS3TWZWn+flDy6GpG7oq/0/mgR/KDME3/HznCVsFlB0 R5ILEfs7KYde2H1u0rPdpI4v7lLkwqkvRcZRINaEsieR6xREdeLapIxRJiohO3z7 hvNCfs0kxG8jSz9y+h8ADeYKsWLplE18q1gOn68O+P0/yKqCkTXqPyNLnBXnT/83 LJu6Rp94QWoFIl3GVuEv7xXQi5X0/WAkNCz1OEBZCokVlKlh2dv+j7P/RySYCWWD TuLVrru2/ddPxyZ+7mMxw0yCvsRkqdlsp8FwyQnuwCxpoRwVxEsAOFnYb+EPWx8a 3KXghaXZ/0LB30kDCEL1JaHKMXjf2CyLL42deSQ+ndDc6ZFKMRbYVxYQ2+RgP2pg 8fZZ9hVjG8mYcbmr/Q0GXo/1BKggHJ1Kmkyl/oMeCBph5Rxrp8T39l7T8t4HPxeI FDnmAmYzi621axhJ7/1P+i8lwA/0/bamP6fFbeX8uLCX5n/gdAN/3yU4BhtuUYKL 7dcIl4AejBaZgTaHNlhwEAjBpRliOIKMmK0l9hJq3dpITpuAfEM= =OIdm -----END PGP SIGNATURE----- --Sig_/NV7_W3l0BReNc=jUYqIKZ7P--