search

auth0 / node-xml-encryption

W3C XML Encryption implementation for node.js (http://www.w3.org/TR/xmlenc-core/)
MIT License
37 stars 57 forks source link

wish: warn on insecure algorithms #66

Closed markstos closed 4 years ago

markstos commented 4 years ago

Hello,

I maintain the passport-saml library which has this library as a dependency.

We'd also like to move away from insecure algorithms. However, a SAML service provider may integrate with dozens of Identity providers. How can we know if insecure algorithms are in use? It seems simply disabling them may break some integrations.

It would be helpful if there was an option to allow insecure algorithms as before, but issue a warning if they are used. This change would be safe to deploy and would allow collecting log data to see if any integrations are using insecure algorithms. We could then notify our partners about the problem so that we could later disable the insecure algorithms without breaking anything.

Describe the ideal solution

One option is to always start issuing warning if insecure algorithms are used.

Another option is to add a boolean flag to opt-in (or out) of having the warnings be issued.

Thanks!

gkwang commented 4 years ago

@markstos would console.warn() suffice or do you have other approaches in mind?

markstos commented 4 years ago

@gkwang console.warn() would be sufficient. That will generate log output I can search through.

Thanks.

gkwang commented 4 years ago

This is now included in the v1.1.0 release.

markstos commented 4 years ago

Related ticket for passport-saml: https://github.com/bergie/passport-saml/issues/429