

Reasons to Avoid Mcrypt - earthrise
https://appsec.solutions/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong

======
jmspring
So, the arguments I see are:

\- abandonware (fine), bugs, yes, but doesn't invalidate the case if you know
the library and the warts

\- design flaws make it hard to write correct code, it's crypto, you better
know what you are doing regardless of the library

\- algorithm identifies are confusing, see point above.

~~~
sarciszewski
From the article:

    
    
        Although it's possible to provide a relatively secure cryptography
        library that builds on top of mcrypt (the earlier version of
        defuse/php-encryption did), switching your code to openssl will
        provide better security, performance, maintainability, and
        portability.
    

The argument here isn't that mcrypt is doomed/inherently vulnerable, it's two-
fold:

1\. OpenSSL is a better choice, especially if you're an average PHP developer
who is ignoring cryptographers' advice not to deploy your own crypto
implementations

2\. If a critical bug is found in libmcrypt, since nobody is maintaining it
anymore, it is unlikely to get fixed. You are much safer using a library where
patches are still being merged.

I hope this makes more sense.

------
smileysteve
As a note, Laravel 4.2 uses mcrypt by standard. openssl is an option

~~~
sarciszewski
[https://github.com/bcit-
ci/CodeIgniter/blob/3a9eb39f61b10b3f...](https://github.com/bcit-
ci/CodeIgniter/blob/3a9eb39f61b10b3f86e50f4cd39ca0d9f010bac2/system/libraries/Encryption.php#L208-L210)

CodeIgniter prioritizes OpenSSL over Mcrypt. I swear I did not tip their devs
off before I wrote it, Andrey Andreev must have come to a similar conclusion
on his own.

