codekund / recaptcha

Automatically exported from code.google.com/p/recaptcha
0 stars 0 forks source link

Security Error: CBC mode with null IV #201

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
In the latest version of the recaptchalib, AES-128-CBC is used with a static 
key and a null IV.

https://code.google.com/p/recaptcha/source/browse/trunk/recaptcha-plugins/php/re
captchalib.php#221

I propose a Google-side API change that accepts an IV parameter, so that my 
fork of this recaptcha library can pass a base64-encoded IV (generated via a 
cryptographically secure pseudo-random number generator).

Referenece: https://github.com/sarciszewski/recaptcha/issues/1

Original issue reported on code.google.com by kobrasre...@gmail.com on 10 Sep 2014 at 1:14

GoogleCodeExporter commented 8 years ago
(This does not need to be a mandatory feature. I'm going to write my code to 
use it.)

Original comment by kobrasre...@gmail.com on 10 Sep 2014 at 1:23