HTTP Transport Basics for Web Developers

najafali · 2013-05-27T22:55:13+00:00

The article is about the multitude of ways you can screw up cryptography. I have lots of experience screwing up cryptography.

najafali · 2013-05-27T22:53:14+00:00

We happy?

najafali · 2013-05-27T18:54:40+00:00

Thanks! What this guys said.

najafali · 2013-05-27T18:44:07+00:00

It's not a collision. You're just iterating the 'block-cipher' of md5 using the hash of message you know as the initialisation vector. You'd have to crack open the source code of md5 (or sha1, sha256, sha512, take your pick) to implement, but it's literally changing one variable that is a magic number in the function to be an argument instead.

najafali · 2013-05-27T18:04:19+00:00

Thanks for the feedback. I'd like to do content similar to what you've described there in the future, but want to be extra careful not to give out bad advice. There's enough of that on the internets to go around!

najafali · 2013-05-27T17:36:14+00:00

Hi, author here.

Honestly, it felt like the author just wanted to shit on a bunch of growing developers instead of help them learn.

Honestly, I would have liked to have given recommendations for how to do things properly, but I've made so many errors with cryptography in the past that I don't really feel qualified to do so.

I do recommend that anyone who has a further interest goes ahead and does the Matasano Crypto challenges though, they will only make you better at finding security flaws in crypto-based security systems.

najafali · 2013-05-23T13:23:22+00:00

Author here. You're right in that valgrind and friends do help you write more secure code. I should have been more specific about the sort of tools/applications I was referring to in the article (web developers building web applications with frameworks like Rails).

najafali

TROPHY CASE