-
Improvement
-
Resolution: Fixed
-
Minor
-
4.4
-
MOODLE_404_STABLE
-
MOODLE_405_STABLE
-
See https://en.wikipedia.org/wiki/RC4 (emphasis mine)
While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure.[3][4] It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.[5]
It's currently only used in core for reading/writing cookie username, however we have a much better encryption library available since this method was added 23 (twenty three!) years ago in the very first project commit (the method has barely changed at at all in the meantime)
I propose deprecating that code, and replacing current usage with modern alternative. This is in the same spirit of removing other cryptographically insecure code as in MDL-78698 & MDL-71421
- has to be done before
-
MDL-81941 Final removal of deprecated RC4 encryption methods
- Open