Please retire this gem and label it as "unsafe" in the README

[tarcieri]

Please retire this gem. It contains multiple, extremely severe security vulnerabilities:

• Fixed all zero IV: Please use IV for CBC mode #4
• No MAC/unauthenticated encryption: Unauthenticated encryption is vulnerable to chosen ciphertext attacks, bitflipping attacks #12

Either of these vulnerabilities can, depending on the circumstances, lead to full plaintext recovery.

I opened #12 nearly 4 months ago. The extremely severe issue in #4 is approaching 4 years old.

This gem is broken, insecure, and unsuitable for use, and yet it is also the top hit for "ruby aes gem". Please retire it and point people at something safer, like ActiveSupport::MessageEncryptor:

http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html

[rosenmoore]

Agree 100%. This gem could easily snare a passer-by who is unfamiliar with symmetric key encryption and believes it is safe.