Scott paragonie-scott

## rsa-encrypt.php
<?php

$publicKey = openssl_pkey_get_public('
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d

## GOALS and OVERVIEW.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                paragonie-scott
                / GOALS and OVERVIEW.md
            
            
              Created
              October 28, 2016 19:53
            
              
                Android App Design Notes
              
          
    I want to build an app that stops harassment and other forms of unsolicited bullshit.

I don't want any money for it.
I don't want to serve ads.
I just want it to perform one simple task and get out of the user's way.

Goal

A mobile app (Android and/or iOS) that only allows trusted callers to go through.

  
## hash-or-encrypt.md

      
              1 file
            
          
              0 forks
            
          
              7 comments
            
          
              1 star
            
          
                paragonie-scott
                / hash-or-encrypt.md
            
            
              Last active
              September 22, 2016 20:18
            
          
    Via Twitter

Authors consider SQLi as main attack vector. Hashed token mitigate r/o SQLi, encrypted mitigate r/w SQLi

That actually doesn't buy you anything. Consider the following table schema:
CREATE TABLE reset_tokens (
    tokenid BIGSERIAL PRIMARY KEY,
 selector TEXT,

  
## SVG Fails.md

      
              1 file
            
          
              0 forks
            
          
              5 comments
            
          
              5 stars
            
          
                paragonie-scott
                / SVG Fails.md
            
            
              Last active
              May 8, 2020 03:49
            
              
                image/svg+xml considered harmful: an open letter to member-svg-media-type@w3.org
              
          
    Update

Filed an issue to address this particular concern.
Thanks joepie91 for finding the folks responsible and getting the conversation started.

Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.

  
## query.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                paragonie-scott
                / query.md
            
            
              Last active
              July 27, 2016 15:10
            
              
                Any Interest in Hardened-{$PROJECT HERE}
              
          
    Would you (or the company you represent) consider paying money for an extension/plugin
for whatever platform you currently use that fixes security faux pas?
For example:

WordPress doesn't securely store passwords.
Drupal only uses emulated prepared statements.
Magento has _____ (will fill in after it's public).
Most CMS projects don't offer secure automatic updates.
(WordPress's implementation is insecure. Drupal is working on it.)


## WhatsAppSaudi.txt
Suppose I have a friend named Alice. Alice has registered to WhatsApp with a
Saudi number but resides in Europe. We chat over WhatsApp regularly. We are both
using the latest version of WhatsApp for Android (2.16.155).

However, Alice is unable to receive or initiate WhatsApp calls, even though she
is in Europe and is using European WiFi. If you can test this, I suggest you do.
Get a Saudi phone number, register to WhatsApp, and then fly to France and make
a call. You will encounter the same result even if you're on French WiFi.

WhatsApp claims that "the Saudis are blocking the initial handshake [for

## gist:c7a73fd0f759e451cf07
function secure_rand(min, max) {
    var rval = 0;
    var range = max - min;
    if (range < 2) {
        return min;
    }

    var bits_needed = Math.ceil(Math.log2(range));
    if (bits_needed > 53) {
      throw new Exception("We cannot generate numbers larger than 53 bits.");

## 1_changelog.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                paragonie-scott
                / 1_changelog.md
            
            
              Created
              February 19, 2016 00:00
                — forked from joepie91/1_changelog.md
            
              
                Remove Wired's "ad-blocker veil"
              
          
    Changelog


February 19, 2016: Initial release.

Broken?

GitHub Gist doesn't send notifications when people leave a comment, so shoot me an e-mail at admin@cryto.net. I'll gladly fix it. Fuck advertising.

  
## 00-README.md

      
              3 files
            
          
              1 fork
            
          
              0 comments
            
          
              3 stars
            
          
                paragonie-scott
                / 00-README.md
            
            
              Created
              February 17, 2016 04:44
            
              
                Bcrypt SHA-384
              
          
    Example code for How to Safely Store a Password in 2016.

  
## strict.md

      
              1 file
            
          
              0 forks
            
          
              11 comments
            
          
              4 stars
            
          
                paragonie-scott
                / strict.md
            
            
              Last active
              November 18, 2017 07:07
            
              
                PHP7 Strict Typing or Else
              
          
    Let's say you have a file like this:
<?php
declare(strict_types=1);

class Foo
{
    protected $x;
    public function __construct(array $x = [])
	<?php

	$publicKey = openssl_pkey_get_public('
	-----BEGIN PUBLIC KEY-----
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
	Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
	hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
	HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
	TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
	UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d
	Suppose I have a friend named Alice. Alice has registered to WhatsApp with a
	Saudi number but resides in Europe. We chat over WhatsApp regularly. We are both
	using the latest version of WhatsApp for Android (2.16.155).

	However, Alice is unable to receive or initiate WhatsApp calls, even though she
	is in Europe and is using European WiFi. If you can test this, I suggest you do.
	Get a Saudi phone number, register to WhatsApp, and then fly to France and make
	a call. You will encounter the same result even if you're on French WiFi.

	WhatsApp claims that "the Saudis are blocking the initial handshake [for
	function secure_rand(min, max) {
	var rval = 0;
	var range = max - min;
	if (range < 2) {
	return min;
	}

	var bits_needed = Math.ceil(Math.log2(range));
	if (bits_needed > 53) {
	throw new Exception("We cannot generate numbers larger than 53 bits.");