I've suspended most of my StackOverflow activities. There are a few reasons for this, but here are the main reasons.
StackExchange is starting to have serious issues, and the SE staff is unwilling to take the necessary steps to resolve them. Examples are the close vote queue, which is 8.2K. The reason? Close votes simply expire, so the questions are never put on hold. Burninate requests can be accepted, but nothing will happen for several years if you post them on Meta. If a user profile is deleted, all reputation cast by that person is deleted as well; you can see how SE ignores this here, 10K votes and counting. Migration to sites such as Cryptography is an absolute nightmare, and often I can only hope that questions are put on hold (see above). Generally questions are either forgotten or crossposted though. This kind of ignorance I know only from my time at Experts Exchange and it was reason for me to quit.
Unfortunately StackOverflow has become a place for newbe's to quickly resolve their issues. This has spilled into the crypto part as well. Unfortunately this has also changed the perception of the site, and nobody seems interested in asking good questions anymore. Basically all questions are either encoding / decoding issues or questions on how to convert one piece of weak code in one language to another. That's just not interesting enough for me to continue.
So for now I'll just answer Java Card questions and keep my current crypto answers up to date. That's 10% of the total crypto questions - and I started late.
The most common security mistakes on SO, how does your code score?
- not understanding the difference between encoding and encryption;
- using keys or IV's directly derived from text / passwords;
- using ECB mode encryption;
- using MD5, DES or other outdated cryptographic algorithms;
- not understanding on how to use an IV / nonce;
- performing password hashing (or key derivation) without applying PBKDF2, bcrypt or scrypt
- using ciphertext that is not protected by an authentication tag;
- thinking that OTP (XOR-encryption) can be made secure (without inventing an inefficient stream cipher);
- encryption without establishing trust (most browser based encryption);
- using textbook RSA or using RSA to directly encrypt messages;
- inventing transport based security instead of using (D)TLS;
- not using a cryptographically secure random number generator.