Par Remi le mardi 7 juillet 2015, 08:07 - HowTo - Lien permanent

I can't count the number of time I had to explain why using this library or this PHP extension is a terrible mistake. So time to blog about it.

libmcrypt is a dead project, unmaintained for ~8 years, last version 2.5.8 was released in February 2007!... and despite lot of open tickets, no acitvity.

Cryptography is a very important part of security management. Looking at the past, and issue discovered / fixed in various software, and the need to always increase security standards, and to drop old algorithms, how can we imagine using an 8 years old software ?

Various well maintained alternative libraries exist:

openssl

nss (Network Security Service)

etc

And for PHP, various other solutions are also available

crypt function, one way hashing

openssl extension

password hashing functions since 5.5 or its pure PHP implementation password_compat

or its pure PHP implementation password_compat phpseclib a pure PHP implementation, which can take benefit of installed extension.

A RFC have been proposed to drop mcrypt extension from PHP 7, but, shame on us, it didn't pass (15-18), so it will stay available.

Chicken and eggs: the extension is used, because available, and is kept available because used in lot of projects.

We really need to spread information about this issue, and we already do it for a long time in Fedora, and most projects understand this issue and agree to fix it and switch to some more secure implementation, some examples:

phpMyAdmin rely on phpseclib.

roundcubemail have switch to openssl as default, see rcube.php

CakePHP is aware, see issue #5440, and PR #5496 have be merged in new version 3.0

Laravel is also aware, see issue #9020, and PR #9041 have be merged in version 5.1

etc

Some other Framework still provide a wrapper to mcrypt (ex Zend\Crypt\Symmetric\MCrypt, issue #3), but chicken and eggs issue again, with applications using such framework which rely on this feature.

This explain why some enterprise distribution, like RHEL, don't provide libmcrypt or php-mcrypt. Probably we should discuss with other Linux distributions (Debian, Fedora...) to stop providing this awfull library.

Do you use mcrypt ? Do you understand you MUST switch as soon as possible, or at least report this issue to your software provider.