Found weak hashing functions JS-D003

Robust cipher algorithms are cryptographic systems resistant to cryptanalysis. They are not vulnerable to well-known attacks like brute force attacks.

A general recommendation is only to use cipher algorithms intensively tested and promoted by the cryptographic community.

More specifically, it's not recommended for a block cipher to use an algorithm with a block size below 128 bits.

Continued use of weak hashing algorithms in certificates puts your clients' sensitive data at risk and will cause browsers to display warnings. Warnings create mistrust when connecting to a site and can cause clients to avoid your site.

Algorithms once thought of as secure and unbreakable have become either weak or breakable. For example, MD5, once thought to be a secure and unbreakable hashing algorithm, went from being a strong hashing algorithm to a weak hashing algorithm to a broken hashing algorithm.

Bad Practice

crypto.createCipheriv("aes-128-ecb", key, '');
crypto.pseudoRandomBytes(1);

Recommended

crypto.randomBytes()
crypto.createCipheriv('aes-256-cbc', key, '');

References

• OWASP A02:2021 - Cryptographic Failures
• Use of a Broken or Risky Cryptographic Algorithm
• Porous Defenses