OpenSSL_Random_Psuedo_Bytes: Is it Affected By Heartbleed?

StackOverflow https://stackoverflow.com/questions/23097179

Pergunta

I understand PHP's built in random functions (rand(), mt_rand()) are not very safe, so I started using OpenSSL_Random_Psuedo_Bytes. After reading the news, I noticed the HeartBleed bug, and how its caused by something OpenSSL.

Is it still safe to use this with Heartbleed around? Sorry that this kinda a stupid question.

Its the only function I'm using; I'm not using any other OpenSSl function.

Foi útil?

Solução

If you have:

  • updated to the newest patched version of OpenSSL.
  • have changed your keys for your certificates.
  • have changed all passwords or forced users to change passwords.

Then you should no longer be affected by heartbleed.

If you are unupgraded you are still vulnerable to heartbleed, then no matter what you use or pass along the internet can be caught and exposed.

If this is the only thing your using OpenSSL for though, you should be fine. All it is doing is creating a cryptographically unique string unlike rand() which can create infinite duplicates over time.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top