Home Search Pricing Get inErrata About

Sign in Sign up

Graph/crypto-misuse-unauthenticated-encryption

AntiPattern

Misusing Crypto Primitives

crypto-misuse-unauthenticated-encryption

Encryption or trust mechanisms get conflated with authentication, correct IV/AEAD usage, and key-handling guarantees; the result is confidential-but-unauthenticated ciphertext, incorrect WebAuthn/PKI assumptions, and preventable MITM or misuse when keys are presumed to be transport- or client-safe.

Node Details

Public graph metadata

Updated6/25/2026

Connections

30 linked nodes

MATCHESSolution

either your queue isn't set up for SSE-KMS encryption, or your KMS key has the necessary permissions defined in it's key policy — How is the application able to function correctly with the permissions 'reversed' like this? Outcome: your KMS key has the necessary permissions defined in it's key policy.

MATCHESSolution

you should use the same secret in both places — if you're doing symmetric keys (default in fastendpoints). Tension: signing tokens with one secret and trying to validate incoming tokens with a different secret. Outcome: assymmetric keys is another story which i don't think you need to worry about just yet.

MATCHESSolution

the API keys are stored in an encrypted form — more-annoying techniques (e.g., native code via the NDK). Tension: This too makes it more difficult for an attacker to get the keys. Outcome: but it does not prevent it completely.

MATCHESSolution

requires a valid account, SSL with certificate pinning — to protect your own server API calls. Outcome: This increases the difficulty for an attacker to get the keys.

MATCHESSolution

Choose solutions where the keys reside on your server — your server gets data from the client using your own APIs and forwards it to the third-party service. Tension: To prevent an attacker from getting client-side API keys.

MATCHESSolution

Encrypting the plain text locally and storing the ciphertext remotely is the way to go. — You want to have protection from the remote attackers? Tension: Encryption has never solved any problems for us. It has just shifted the problems somewhere else. Outcome: protection from remote attackers is doable.

MATCHESSolution

Do not encode the secret for hiding; instead use ConvertAPI authentication with a proper token/credentials designed for client use, e.g., provide an apiKey plus a valid ConvertAPI token in the request (or move credential handling to a backend if needed).

MATCHESSolution

No change is required for normal HTTPS behavior; DevTools displaying plaintext is expected and safe as TLS encryption protects data in transit. Ensure the site uses HTTPS to keep network traffic encrypted.

MATCHESSolution

PKCE is verified on the authorization server — even if the clients does not properly (or fail to) verify the state/nonce. Tension: PKCE will still protect them. Outcome: PKCE will still protect them.

MATCHESSolution

Using the platform provided protection usually makes sense — Using the platform provided protection usually makes sense; it is pretty hard to securely store the encryption key within an application after all. Tension: it is pretty hard to securely store the encryption key within an application after all. Outcome: destroy the (copies of) the unencrypted key / passphrase after provisioning / use.

MATCHESSolution

As a default and mainstream solution I would use a BFF that issues short lived access tokens in HTTP only cookies — When a browser tab is closed, it must not be possible for its API credential to be abused by malicious sites. Tension: These should also use the `SameSite=strict` property, for the best protection against cookie misuse via cross site request forgery. Outcome: These should also use the `SameSite=strict` property.

MATCHESSolution

PKCE is the most obvious solution for OAuth clients. Tension: nonce is appropriate for OpenID Connect clients.

MATCHESSolution

A way to do this (which is used in the wild) is described at — I have a JWKS which exposes my public keyset. Tension: I want to ensure that the keys are not modified in-transit through some man-in-the-middle. Outcome: which would allow clients to verify the jwt's authenticity, and if it's authentic, they could then accept the supplied keys.

MATCHESSolution

Use opaque, signed, time-limited tokens instead of plain email in links, and revalidate any client-provided value on the server

MATCHESSolution

PKCE protects against a specific vulnerability. — if something can intercept the redirect. Tension: the `code` alone is useless because they need the `code_verifier`. Outcome: they need the `code_verifier` which lives in the app that originally initiated the `authorization_code` flow.

MATCHESSolution

"WWW-Authenticate: Negotiate" literally means SPNEGO will be used for authentication — on the server side, you're supposed to validate the token using a SPNEGO implementation. Tension: If the client starts by sending an NTLM token instead of Kerberos, that is not because of a missing header. Outcome: you haven't registered a SPN for the server within Active Directory.

MATCHESSolution

Your hardware token idea is the only thing you've listed that is plausible — assuming the token's hardware has its own clock and is hardened against tampering. Tension: There is no way to trust hardware that someone else controls. Outcome: This is just a computer that you trust because the user does not control it.

MATCHESSolution

From the moment you use HTTPS the communication between your mobile app and server is private — make private the communication between my mobile application and my server. Tension: someone can intercepts http calls and copy the static token. Outcome: unless a MitM attack is being carried out successfully by an attacker.

MATCHESSolution

If you want to keep a key secret safe — wallet secrets. Tension: developers often have more access rights than they should have. Outcome: export it to a USB drive, or print it out on a piece of paper and put it in a safe!

MATCHESSolution

using the `crypto` module is fine — In Node.js. Tension: instead of trying to do it yourself. Outcome: you can simply do what you're doing without concern.

MATCHESSolution

protecting the individual endpoints properly. Tension: data from the frontend can and shouldn't be trusted from a security perspective. Outcome: you're already taking the proper countermeasures.

MATCHESSolution

use HTTPS, in which TLS (Transport Layer Security) is used to encrypt the traffic between the client and the server — sensitive information should never ever be sent in the open. Tension: there is no good reason to not use HTTPS for everything except local development. Outcome: all traffic is automatically encrypted.

MATCHESSolution

Use protected mode and access tokens so attempts to read protected memory raise an exception instead of exposing decrypted data

MATCHESSolution

If you want to have e.g. functionality such as signed (and/or encrypted) email then you'd use a higher level protocol such as PKCS#7 — If you want to have e.g. functionality such as signed (and/or encrypted) email. Tension: CMS supports both encryption (enveloped data) and signatures. Outcome: you can simply base64 encode it.

MATCHESSolution

Encrypting the refresh token is a good idea — without the need for a database. Tension: If you know that this will not happen to your users. Outcome: that approach might be ok.

MATCHESSolution

Browsers themselves provide an encryption interface. That interface supports AES-GCM — You mention using the private key. Tension: WebAuthn does not currently provide any symmetric key that can be used for encryption. Outcome: You would need to download Chr.

MATCHESSolution

you should consider using community-driven packages built for this kind of thing — Typically, any attempt at solving XSS attacks yourself should be avoided. Tension: they will find these pseudo-protocol calls. Outcome: as they will find these pseudo-protocol calls and santize/strip them for you.

MATCHESSolution

Solution: — leveraging Spring Security for Authentication. Tension: The process to decrypt the token and add it to the request is pretty nasty. Outcome: I worked around the issue and got it working.

MATCHESSolution

Use HTTPS/TLS for the site (and verify with a packet capture tool like Wireshark/tcpdump that traffic is encrypted). Treat DevTools payload viewing as client-side request contents rather than evidence that encryption is missing.

MATCHESSolution

In crypto/x509/v3_genn.c, line 100-102.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Misusing Crypto Primitives - inErrata Knowledge Graph | Inerrata