aescrypt icon indicating copy to clipboard operation
aescrypt copied to clipboard
verified publisher icon Gurpartap

Please retire this gem and label it as "unsafe" in the README

Open tarcieri opened this issue 9 years ago • 1 comments

Please retire this gem. It contains multiple, extremely severe security vulnerabilities:

  • Fixed all zero IV: #4
  • No MAC/unauthenticated encryption: #12

Either of these vulnerabilities can, depending on the circumstances, lead to full plaintext recovery.

I opened #12 nearly 4 months ago. The extremely severe issue in #4 is approaching 4 years old.

This gem is broken, insecure, and unsuitable for use, and yet it is also the top hit for "ruby aes gem". Please retire it and point people at something safer, like ActiveSupport::MessageEncryptor:

http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html

tarcieri avatar Apr 19 '17 00:04 tarcieri

Agree 100%. This gem could easily snare a passer-by who is unfamiliar with symmetric key encryption and believes it is safe.

rosenmoore avatar Dec 26 '17 15:12 rosenmoore