[liberationtech] Interesting new project for decentralized communication

[Waitman Gobble]

On Wed, 24 Jul 2013 09:59:14 -0700, Steve Weis <steveweis at gmail.com> wrote: 
>
>I skimmed a couple files of this project. It does not inspire confidence.

Hi,

I have discussed these issues with the primary developer of Red.

>
>In 7 lines of encryption code, they unsafely use ECB, don't
>authenticate their ciphertext, don't have any comments, don't have any
>testing, and have a couple WTF lines like XORing parts of the key with
>itself:
>https://github.com/friendica/red/blob/master/include/crypto.php#L169
>


This is a function which provides MySQL-compatible AES encryption that came
from the web. Its only saving grace is that it does MySQL-compatible
encryption/decryption.

Red no longer needs to maintain compatibility with MySQL encryption. This
function is not used *at all* in Red and there are no plans to use it ever. It
just has not been removed it yet.


>There also might be some SQL injection issues in this file, although I
>didn't check it in depth:
>https://github.com/friendica/red/blob/master/include/security.php

Feel free to check it in depth. It's possible something may be missed  (it
happens) but this is why we have open source. Help and contributions to the
pledgie page are much appreciated.


Thank you,



>
>On Tue, Jul 23, 2013 at 7:45 PM, h0ost <host at mailoo.org> wrote:
>> An interesting new project, combining ideas that seem increasingly
>> significant in our times (decentralization, privacy via access control
>> lists and public key encryption, single-sign on, etc..
>>
>> I think they are the core devs that did the Friendica social network a
>> few years back, and this is their new project.
>>
>> https://github.com/friendica/red
>--
>Too many emails? Unsubscribe, change to digest, or change password by
emailing moderator at companys at stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

--
Waitman Gobble
San Jose California USA
+1.5108307875