
Public-Key Encryption in PHP - CiPHPerCoder
https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong
======
tzs
I'm not sure that cryptographic library functions should have default
parameters, at least for parameters that affect security.

The argument (no pun intended) for default parameters would be to provide a
reasonable value for library users who do not have the expertise to select the
parameter value themselves.

The problem with this is that if someday the expert opinion on what the
default value should be changes, then the library is in an unfortunate
position.

If they update the library to match the newer expert opinion, it breaks
existing code. If they do not update the library, then new applications using
it will get the bad default value. Maybe they can leave the default alone, but
make the library generate a warning that the default is no longer good and the
application should be updated to explicitly pick a better value.

If the library had not supplied a default value, then all users of the library
would have to make a choice. The library documentation could suggest what
choice is considered best at the time, but make the programmer actually say it
in the code. That way, if expert opinion changes, the recommendation can
change and at least new users of the library might use the better value.

~~~
tedunangst
Updating the default doesn't need to break code. There can be some means of
querying the default. Or as much as I hate to reference TLS, the default can
be a cipher list which evolves over time.

~~~
CiPHPerCoder
Or something like this:
[http://externals.io/thread/442#email-12842](http://externals.io/thread/442#email-12842)

------
cutler
'Looks like a competent PHP dev could make a decent living as a crypto/SSL
consultant.

------
didgeoridoo
Dupe from two weeks ago (plus a few other times that this user submitted it).
Conversation here:
[https://news.ycombinator.com/item?id=13171409](https://news.ycombinator.com/item?id=13171409)

~~~
reitanqild
Never seen it before and I am reasonably acttive here.

~~~
CiPHPerCoder
It floated near the top of page two for a while then died off. I don't know
that it ever landed on the front page for any appreciable length of time.

------
bhldr
Looks like blog spam. Third time this user submits the same link and he/she
only posts from one domain.

~~~
CiPHPerCoder
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)
\- See: "Are reposts ok?"

Also, your claim that I only post from one domain is demonstrably false:
[https://news.ycombinator.com/submitted?id=CiPHPerCoder](https://news.ycombinator.com/submitted?id=CiPHPerCoder)

Happy to discuss better strategies for raising security awareness among PHP
developers if sharing content on HN is viewed as annoying.

~~~
ckdarby
Here you go, [https://www.reddit.com/r/PHP/](https://www.reddit.com/r/PHP/)

