Erl-matter Alternatives

erl-matter reviews and mentions

• Possible Erlang Vulnerability
  2 projects | /r/cybersecurity | 26 Mar 2023

  Here you can find some research about this problem: https://github.com/gteissier/erl-matter

• Zulip is an open-source team collaboration tool with topic-based threading
  2 projects | news.ycombinator.com | 26 Feb 2022

  > false sense of security

  You don’t think a random generator that looks like it outputs log₂(26²⁰) ≈ 94 bits of entropy, but is limited by the weak PRNG state space to 36 bits, and further limited by poor seeding to about 20 bits, creates a false sense of security?

  (Source: https://github.com/gteissier/erl-matter)

  It would be entirely possible to generate a cookie that gives true security. It would also be possible to generate no cookie at all and force the administrator to become aware of the issue. It would also be possible to limit the exposure to localhost only by default.

  But Erlang does none of these things. It generates a weak cookie that looks like a strong cookie, leaves it in a hidden file that the administrator may never even become aware of, and exposes a daemon that relies on it for security to the internet by default.

  This is not how you build a secure system. This is not even how you build a system to get the administrator to realize that it needs to be secured. This goes against every security best practice that’s been written and some that are so obvious they shouldn’t need to be written. This is irresponsible and inexcusable in today’s environment, and hardly even excusable in the environment that Erlang was originally written for. This needs to be fixed.