Home Search Pricing Get inErrata About

Sign in Sign up

Graph/crypto-misuse-insecure-defaults

AntiPattern

Cryptography Misuse Risks

crypto-misuse-insecure-defaults

Encryption and transport security fail when libraries are used with insecure defaults or without integrity/authentication—e.g., unauthenticated CBC/PKCS#7, missing IV randomness, misapplied TLS verification, or relying on keys that never leave secure hardware.

Node Details

Public graph metadata

Updated6/25/2026

Connections

30 linked nodes

MATCHESSolution

SQS uses envelope encryption. Tension: It doesn't need `kms:Encrypt`, because it uses the data key to do the encryption. Outcome: The consumer just needs `kms:Decrypt` to decrypt the encrypted data key.

MATCHESSolution

either your queue isn't set up for SSE-KMS encryption, or your KMS key has the necessary permissions defined in it's key policy — How is the application able to function correctly with the permissions 'reversed' like this? Outcome: your KMS key has the necessary permissions defined in it's key policy.

MATCHESSolution

read access should be done through CloudFront — if you are not directly needing TLS 1.0 or 1.1 for your own application needs. Tension: you are not at further risk of attack from outside entities. Outcome: place other services/protections/permissions in place so that you are not at further risk of attack from outside entities.

MATCHESSolution

the API keys are stored in an encrypted form — more-annoying techniques (e.g., native code via the NDK). Tension: This too makes it more difficult for an attacker to get the keys. Outcome: but it does not prevent it completely.

MATCHESSolution

requires a valid account, SSL with certificate pinning — to protect your own server API calls. Outcome: This increases the difficulty for an attacker to get the keys.

MATCHESSolution

Encrypting the plain text locally and storing the ciphertext remotely is the way to go. — You want to have protection from the remote attackers? Tension: Encryption has never solved any problems for us. It has just shifted the problems somewhere else. Outcome: protection from remote attackers is doable.

MATCHESSolution

Use Hash-Based Message Authentication Code or any cryptographic library or built-in .NET classes

MATCHESSolution

If you are looking for a FIPS 140-2 compliant JavaScript Cryptographic Library — JavaScript Cryptographic Library. Tension: any other library that you may be referring to is not FIPS compliant. Outcome: Virtru is the only option available.

MATCHESSolution

No change is required for normal HTTPS behavior; DevTools displaying plaintext is expected and safe as TLS encryption protects data in transit. Ensure the site uses HTTPS to keep network traffic encrypted.

MATCHESSolution

PKCE is verified on the authorization server — even if the clients does not properly (or fail to) verify the state/nonce. Tension: PKCE will still protect them. Outcome: PKCE will still protect them.

MATCHESSolution

I would simply hold the secrets in memory — Based on the logic here. Tension: reading secrets every time disrupts availability. Outcome: I would also update the threat analysis if I get insight into new threats that appear in the future.

MATCHESSolution

Using the platform provided protection usually makes sense — Using the platform provided protection usually makes sense; it is pretty hard to securely store the encryption key within an application after all. Tension: it is pretty hard to securely store the encryption key within an application after all. Outcome: destroy the (copies of) the unencrypted key / passphrase after provisioning / use.

MATCHESSolution

pass `False` if you're not using the algorithm for security purposes. — False indicates that the hashing algorithm is not used in a security context. Tension: Insecure algorithms are enabled by default. Outcome: Python will tell OpenSSL to allow insecure algorithms anyway.

MATCHESSolution

A way to do this (which is used in the wild) is described at — I have a JWKS which exposes my public keyset. Tension: I want to ensure that the keys are not modified in-transit through some man-in-the-middle. Outcome: which would allow clients to verify the jwt's authenticity, and if it's authentic, they could then accept the supplied keys.

MATCHESSolution

PKCE protects against a specific vulnerability. — if something can intercept the redirect. Tension: the `code` alone is useless because they need the `code_verifier`. Outcome: they need the `code_verifier` which lives in the app that originally initiated the `authorization_code` flow.

MATCHESSolution

Your hardware token idea is the only thing you've listed that is plausible — assuming the token's hardware has its own clock and is hardened against tampering. Tension: There is no way to trust hardware that someone else controls. Outcome: This is just a computer that you trust because the user does not control it.

MATCHESSolution

From the moment you use HTTPS the communication between your mobile app and server is private — make private the communication between my mobile application and my server. Tension: someone can intercepts http calls and copy the static token. Outcome: unless a MitM attack is being carried out successfully by an attacker.

MATCHESSolution

If you want to keep a key secret safe — wallet secrets. Tension: developers often have more access rights than they should have. Outcome: export it to a USB drive, or print it out on a piece of paper and put it in a safe!

MATCHESSolution

Regularly checking your codebase against common vulnerabilities — by utilizing OWASP, CWE, etc. Tension: security score might not be sufficient for tomorrow.

MATCHESSolution

using the `crypto` module is fine — In Node.js. Tension: instead of trying to do it yourself. Outcome: you can simply do what you're doing without concern.

MATCHESSolution

protecting the individual endpoints properly. Tension: data from the frontend can and shouldn't be trusted from a security perspective. Outcome: you're already taking the proper countermeasures.

MATCHESSolution

use HTTPS, in which TLS (Transport Layer Security) is used to encrypt the traffic between the client and the server — sensitive information should never ever be sent in the open. Tension: there is no good reason to not use HTTPS for everything except local development. Outcome: all traffic is automatically encrypted.

MATCHESSolution

Use protected mode and access tokens so attempts to read protected memory raise an exception instead of exposing decrypted data

MATCHESSolution

If you want to have e.g. functionality such as signed (and/or encrypted) email then you'd use a higher level protocol such as PKCS#7 — If you want to have e.g. functionality such as signed (and/or encrypted) email. Tension: CMS supports both encryption (enveloped data) and signatures. Outcome: you can simply base64 encode it.

MATCHESSolution

The only way I can think of is "frontend security" — pdf viewer apps won't let you do that. Tension: from a technical standpoint if the decrypted data is in my RAM it seems impossible to stop me. Outcome: no actual security.

MATCHESSolution

You can limit TLS sniffing using certificate pinning. — for some situations, it's worth the trouble. Tension: Google does not recommend this because it's hard to manage. Outcome: See also HTTP Toolkit's discussion on the topic.

MATCHESSolution

Browsers themselves provide an encryption interface. That interface supports AES-GCM — You mention using the private key. Tension: WebAuthn does not currently provide any symmetric key that can be used for encryption. Outcome: You would need to download Chr.

MATCHESSolution

you should consider using community-driven packages built for this kind of thing — Typically, any attempt at solving XSS attacks yourself should be avoided. Tension: they will find these pseudo-protocol calls. Outcome: as they will find these pseudo-protocol calls and santize/strip them for you.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Use HTTPS/TLS for the site (and verify with a packet capture tool like Wireshark/tcpdump that traffic is encrypted). Treat DevTools payload viewing as client-side request contents rather than evidence that encryption is missing.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Cryptography Misuse Risks - inErrata Knowledge Graph | Inerrata