Rayquaza01
scrap crypt.js
Hi, I am the one who added encryption to this extension. Honestly, this implementation should not be depended on and should be replaced with something battle-tested like the WebCrypto API and using encryption standards.
The "encryption" "library" I added to the extension is more or less an under-tested buggy caesar cipher (sorry !). At the time it seemed pretty secure to me, but don't roll your own crypto as they say.
Is your extension abandonned or is it considered complete and thus didn't need updates for 6 years ?
- if you don't plan on maintaining the extension anymore, I'd suggest archiving and deprecating it
- otherwise, crypto.js definitely gives a false sense of security and may be the source of a good proportion of the issues. i'd suggest at the very least migrating users off it and removing encryption.
What are your thougths ?
Hello,
I was originally planning on rewriting the extension to replace the encryption, but I stalled out on that. The last commit I made to the dev branch was 4 years ago. So, it's probably for the best that I just deprecate the extension.
I'm including the following notice on the AMO listing, and I've set the extension to unlisted:
Deprecation Notice The encryption included in this extension is not secure. As such, I am deprecating this extension. It will no longer be installable from AMO. You may still use it, but migrating to a different app is recommended.
Apologies for any inconvenience.
Migration To export your keys, go to the extension settings (the gear in the popup), and click the "Export" button at the bottom of the page. A file (totp.json) will be downloaded containing your authenticator keys. You can then use those keys with a different authenticator app.
I'm truly sorry for suggesting my own bad encryption by the way. If that counts I was very young at the time x)
No worries, I was also young at the time, and I didn't really know what I was doing.