Useful info beyond the medium post….
Blaming the developer is not my point, and the cryptography community is trying hard to advertise the better and appropriate tools, but as a reminder:
If You’re Typing the Letters A-E-S Into Your Code You’re Doing It Wrong
As an encryption-aware person (as in “I’m aware I want encryption, but aware how little I know about it”), I’ve been slowly bumping up the percentage of my life covered by such. This included recently upgrading my CPU specifically so that I could re-install my OS (GNU/Linux) with full-disk encryption (dm-crypt with LUKS).
I upgraded my CPU because I was “aware” I wanted one that supported AES-NI.
Your comment (and the attached article) leads me to ask some questions. You may not know the answers, but I would appreciate being educated by any of the fine Lobsters who read this:
Any explanation or even just useful links to related reading is appreciated. I did about an hour of searching and reading before deciding to dump such a long list of questions here.
The statement isn’t that you should not use AES, it is that you shouldn’t use it directly. It is OK to use AES if the only way it gets used is through something well-audited from crypto implementation point of view.
Thanks for the clarification. I was indeed taking away the wrong lessons from my layman’s interpretation of the article.
I think its prudent if you are using any encryption library to have tests for failure cases.
This blog post does a great example of proving why.
You can use GitHub’s new dependency graph feature to see open source projects that depend on this vulnerable gem.
well this is vaguely terrifying
String#hex in Ruby converts hexadecimal strings into an integer and if it fails, zero is returned:
Oh seriously, Ruby, what were you thinking?
This would appear to be a holdover from Perl;
kahekkass ~$ perl -e "print hex '14'"; echo
kahekkass ~$ perl -e "print hex '1f'"; echo
kahekkass ~$ perl -e "print hex 'zxy'"; echo