Should the Crypto from Play be replaced #15
Comments
|
As far as I understand, they are doing this to hide an internal API which wasn't meant to be used outside of Play. Do you think this affects akka-http-session in some way? (btw.: this is already pluggable, as you can provide a different session encoder quite easily) |
|
To quote the docs:
I'm not an expert, but I know enough to see this implementation is unsecure by default, e.g.: Which uses outdated and unsecure AES/ECB/PKCS5Padding. Instead of e.g.: or or So IMHO the smart thing to do would be to at least port the 2.4/2.5 changes. BTW How to choose an AES encryption mode (CBC ECB CTR OCB CFB)? |
|
Thanks for the links! An interesting read :). For encryption I think in our case |
This is an invitation for discussion about the Crypto implementation ported from Play Framework and its future.
Here's the issue that led to deprecation of the Crypto API from Play
and here is migration guide in Play 2.5.
I don't know much about cryptography, so unfortunately I can't say anything more useful.
The text was updated successfully, but these errors were encountered: