

Why you must never generate your own promo codes - diminish
https://medium.com/p/e9dd71041321

======
Metatron
Also never trust codes generated by some stranger on the internet for free.

~~~
diminish
Good point. For SSL certificates, and many other security related services you
always ultimately trust some strangers, who sometime happen to use names such
as "Trusted Certificate Authority" which normally should read "Stranger
Stranger Stranger".

What would be the alternative, to find a "Trusted Certified Code Generator
Authority"?

Edit: for example Bitcoins, Satoshi and Bitcoin Exchanges. The generator is
using a version AES FPE (BPS) standards as I see, so it's kind of peer-
reviewed.

~~~
Metatron
There's a vast gulf between SSL and a third-party promo code generator. The
main difference being the number of professionals putting time and effort into
SSL standards and the global uptake of those standards. Trust is earned.

To say something as well established as a 'Trusted Certificate Authority'
equates to 'Stranger Stranger Stranger' is slightly erroneous. I may not know
them personally, but to all intents and purposes my browser is incredibly
familiar with the technology and has been for generations. That trust has been
earned.

I've no idea what the process was for SSL to become to central, but it'd be a
good example of how to reach that position with something like a promo code
generator. I'd imagine a lot of time being peer reviewed, worked on
collaboratively and if it's ever misused strong evidence of hotfixes in new
iterations. A a track record of legitimacy. Of earned trust.

~~~
diminish
You're right and indeed the promo code generator uses a hardened version of
the proposed NIST standard for FPE, called BPS. It's the result of vast
academic research since 1950s, on how to shuffle, generate, unique random
permutations within an arbitrary set.

