Re: [RFC] Secure Session Module Options by Default

From:	Yasuo Ohgaki	Date:	Sun, 02 Feb 2014 06:50:03 +0000
Subject:	Re: [RFC] Secure Session Module Options by Default
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <[email protected]> wrote:

> Secure Session Module Options by Default
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Session is core of web security. Therefore, default should be
> as secure as possible by default.
>
> I'll open vote next week, please send comments now.
>

As many of already knew, use of SHA-1 is deprecated for security related
use by NIST.

"applications that require collision resistance as soon as practical, and
must use the SHA-2 family of hash functions for these applications after
2010. "
http://csrc.nist.gov/groups/ST/hash/policy_2006.html

Current files save handler detects collision and it is out of NIST
requirement regardless of hash function. Collision detection is up to save
handler now. It could be check with newer session module code using
PS_VALIDATE_SID_FUNC(). This API is included in the patch for

https://wiki.php.net/rfc/session-lock-ini

If 3rd party save handler supports PS_VALIDATE_FUNC(), collision detection
can be done at session module.

This RFC may be better to include this change (collision detection) also.

AND/OR

We may use SHA-256 as the default.
This may be preferred since NIST discourages use of SHA-1 anyway.

Regards,

P.S. It may be too late to change. SHA-3 is coming now.

--
Yasuo Ohgaki
[email protected]


   

Thread (30 messages)

• Yasuo OhgakiSat, 01 Feb 2014 22:33:37 +0000
  • Stas MalyshevSat, 01 Feb 2014 22:52:56 +0000
    • Yasuo OhgakiSat, 01 Feb 2014 23:59:59 +0000
      • Yasuo OhgakiSun, 02 Feb 2014 00:06:54 +0000
      • Stas MalyshevSun, 02 Feb 2014 07:14:04 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:50:17 +0000
          • Yasuo OhgakiSun, 02 Feb 2014 09:51:51 +0000
          • Stas MalyshevSun, 02 Feb 2014 10:25:50 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 02:08:28 +0000
              • Stas MalyshevMon, 03 Feb 2014 08:23:22 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 10:35:26 +0000
                  • Pierre JoyeMon, 03 Feb 2014 10:43:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 10:47:59 +0000
                  • Lester CaineMon, 03 Feb 2014 11:02:09 +0000
  • Yasuo OhgakiSun, 02 Feb 2014 06:50:03 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiThu, 06 Feb 2014 06:15:11 +0000Re: [RFC] Secure Session Module Options by Default
    • Yasuo OhgakiThu, 06 Feb 2014 06:26:10 +0000
• Andrey AndreevMon, 03 Feb 2014 07:31:28 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiMon, 03 Feb 2014 10:18:46 +0000
    • Andrey AndreevMon, 03 Feb 2014 10:54:01 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:48:17 +0000
        • Andrey AndreevMon, 03 Feb 2014 22:29:52 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 23:05:06 +0000
            • Andrey AndreevTue, 04 Feb 2014 12:59:33 +0000
              • Yasuo OhgakiWed, 05 Feb 2014 00:13:42 +0000
                • Andrey AndreevWed, 05 Feb 2014 20:00:52 +0000
                  • Yasuo OhgakiWed, 05 Feb 2014 21:58:44 +0000
                    • Andrey AndreevThu, 03 Apr 2014 09:31:58 +0000
                      • Yasuo OhgakiFri, 04 Apr 2014 09:14:07 +0000
                        • Yasuo OhgakiMon, 12 May 2014 08:13:33 +0000