If You're Typing the Word MCRYPT Into Your PHP Code, You're Doing It Wrong

[colinmollenhour]

https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong

Mage_Core_Model_Encryption uses Varien_Crypt which implements mcrypt by default.
I propose the following:

• Add Varien_Crypt_Openssl to implement encryption via Openssl using whatever the best practices are for secure encryption.
• Read a config key global/crypt/method to get a specific method if specified. Default to mcrypt if not specified for backwards compatibility.
• Add global/crypt/method -> openssl to the local.xml.template so that for new installations the default is openssl. I don't really care to support platforms without openssl so I don't even know if one exists or if they are common but I think it is perfectly reasonable to require a supported encryption library for an ecommerce platform.. It can easily be added to list of modules required during install.
• Write a script to migrate encrypted data from old method/key to new method/key. (find all encrypted config values, decrypt, re-encrypt with new key/method and save over old local.xml)
  • Note, Magento CE had a major bug up until 1.8/1.9 whereby a VERY poor encryption key was generated at installation so without a migration script if you are using one of these keys you basically might as well not even be using any encryption it is so bad. I tried to raise this with Magento on a magento2 issue but my warnings were completely ignored since they already have such a migration script for EE apparently.

EDIT:
Oh yeah, mcrypt will be deprecated in PHP 7.1 and removed in the version after. More info: https://wiki.php.net/rfc/mcrypt-viking-funeral

[Flyingmana]

👍
And yes, there are platforms without openSSL out there, but we can sure add alternates then.

[sreichel]

Reference ... Inchoo/Inchoo_PHP7#98

[inluxc]

This is a nice read about this problem.
https://www.zimuel.it/slides/phpce2017#/

[colinmollenhour]

Just pushed PR for this issue. See #506

[kkrieger85]

Close due to #506

[seansan]

Should this also be changed? https://github.com/OpenMage/magento-lts/blob/1.9.4.x/lib/Zend/Filter/Encrypt.php#L85

[colinmollenhour]

Should this also be changed? https://github.com/OpenMage/magento-lts/blob/1.9.4.x/lib/Zend/Filter/Encrypt.php#L85

Is that code used anywhere? I'd rather remove unused code than try to fix it.

[seansan]

with mcryptcompat all should work #1211

…

On Wed, Sep 30, 2020 at 11:55 PM Colin Mollenhour ***@***.***> wrote: Should this also be changed? https://github.com/OpenMage/magento-lts/blob/1.9.4.x/lib/Zend/Filter/Encrypt.php#L85 Is that code used anywhere? I'd rather remove unused code than try to fix it. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#129 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE7I22RDWOGTBYJT5T37O3SIOSOVANCNFSM4CUBB27Q> .