Re: [VOTE] Timing attack safe string comparison function
From: Andrey Andreev Date: Wed, 05 Feb 2014 20:18:17 +0000 Subject: Re: [VOTE] Timing attack safe string comparison function Groups: php.internals Request: Send a blank email to [email protected] to get a copy of this message
Hi, Incidentally, I've been doing some research on this problem, so here's my 2 cents: Why not add a third parameter to specify the minimum length? Something like a time-attack-safe strncmp(). Give that parameter a sane enough value for today and it could be increased in the future without changing APIs and upsetting users. +1 on E_WARNING for non-string input. Cheers, Andrey.
Thread (54 messages)
- Re: [VOTE] Timing attack safe string comparison function
- Re: [VOTE] Timing attack safe string comparison function
« previous | php.internals (#72293) | next » |
---|