OpenSSL is compromised.
If you are currently running it on a server you maintain, switch to LibreSSL ASAP.
https://archive.fo/y13zq
>>58399947
His first POC is retarded and only seems to show that you can get the encryption key for an encrypted file.. if you know the password used to encrypt it?
>>58400050
It looks like it's talking more about how you can know the salt for the hash, which lets you brute force it easier. That's definitely an issue, but not as major as he's making it out to be.
It is not surprising that you can derive the key when you know both the password and the salt.
>>58400068
While I agree that still makes it all a bit easier to crack not that it would be successful in any way but still
>>58399947
Wow. If you use a library insecurely, its insecure.
Who would have guessed!
>>58400068
>>58399947
The salt isn't required to be hidden.
The whole reason of a salt is to avoid rainbow table attacks, it doesnt really have all that much to do with brute forcing