First, you are using symmetrical-keys and those keys are being shared in the same channel, so you end with zero-protection against MITM. The only way to that work is sharing keys "out-of-band". Otherwise, what prevents the attacker to change (or see) the key when you request libs/php/get_random_key.php?
If the purpose of the AES is to share data between two parties, you need some "key agreement" in another channel of communication or you should use a key-exchange such as ECDH. But even using ECDH (or equivalente key exchange): you must somehow key-pinning/trust the server-key, or you must also have another trusted signature key (say Ed25519) that signs the ephemeral ECDH key...
However, the TLS/SSL already does it for you. So, if you use TLS you already have protection against MITM, you don't need to use CryptoJS anymore for that.
The CryptoJS can be used to encryption, but not even close of how it was described in this article. The example using time is awful, I don't need to say why. A better valid example would be using PBKDF2 to create a AES-key using some password to encrypt a file, that the server can't read the content and can only be decrypted by the user. Or, maybe using the PBKDF2 to create a X25519 key and exchange a key with the trusted-server-key (which can be done without request) and send the data encrypted, but I think CryptoJS doesn't handle it, so maybe Libsodium would be a better choice.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I don't that article makes any sense.
First, you are using symmetrical-keys and those keys are being shared in the same channel, so you end with zero-protection against MITM. The only way to that work is sharing keys "out-of-band". Otherwise, what prevents the attacker to change (or see) the key when you request
libs/php/get_random_key.php?If the purpose of the AES is to share data between two parties, you need some "key agreement" in another channel of communication or you should use a key-exchange such as ECDH. But even using ECDH (or equivalente key exchange): you must somehow key-pinning/trust the server-key, or you must also have another trusted signature key (say Ed25519) that signs the ephemeral ECDH key...
However, the TLS/SSL already does it for you. So, if you use TLS you already have protection against MITM, you don't need to use CryptoJS anymore for that.
The CryptoJS can be used to encryption, but not even close of how it was described in this article. The example using
timeis awful, I don't need to say why. A better valid example would be using PBKDF2 to create a AES-key using some password to encrypt a file, that the server can't read the content and can only be decrypted by the user. Or, maybe using the PBKDF2 to create a X25519 key and exchange a key with the trusted-server-key (which can be done without request) and send the data encrypted, but I think CryptoJS doesn't handle it, so maybe Libsodium would be a better choice.