Re: little request :)

From:	Yasuo Ohgaki	Date:	Sat, 08 Feb 2014 03:50:17 +0000
Subject:	Re: little request :)
References:	1 2 3 4 5 6 7 8 9 10 11 12 13	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

On Sat, Feb 8, 2014 at 8:06 AM, Pádraic Brady <[email protected]>wrote:

> Timing attacks are practical. It's been proven. It's accepted as a
> security vulnerability (albeit grudgingly I know by those who have to
> fix it). It's been fixed in any number of applications already. We
> could wait for a hostile attack to actually happen and then actually
> be publicised, but why do nothing when the fix is so damn simple? :P
>

I agree. It's easy to fix by PHP core. There are number of real apps that
have deployed
mitigation by themselves. There is no reason not to add counter measure for
timing attacks.
It's mandatory as language. We may make ==/=== timing safe like Python, it
may be overkill
or may not.

Have anyone took benchmark with this?
https://github.com/yohgaki/php-src/compare/PHP-5.6-rfc-hash-compare
There are number of timing safe comparison functions.

BTW, I would like to see comparison between current PHP hash and
xxhash/SipHash for
PHP array.  IIRC, PHP is using BJB's old hash. Other languages adopted
SipHash, I think
it worth to try or have it already done?

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (42 messages)

• Pierre JoyeWed, 05 Feb 2014 10:20:27 +0000
  • Yasuo OhgakiWed, 05 Feb 2014 22:57:17 +0000
    • Pádraic BradyThu, 06 Feb 2014 00:42:29 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 03:06:35 +0000
  • Stas MalyshevWed, 05 Feb 2014 23:00:10 +0000
  • Rouven WeßlingThu, 06 Feb 2014 00:06:26 +0000Re: little request :)
    • Tjerk MeestersThu, 06 Feb 2014 03:51:55 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 04:53:29 +0000
    • Lester CaineThu, 06 Feb 2014 05:49:59 +0000
      • Pierre JoyeThu, 06 Feb 2014 05:55:20 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 05:58:47 +0000
        • Lester CaineThu, 06 Feb 2014 23:18:51 +0000
          • Pádraic BradyThu, 06 Feb 2014 23:32:44 +0000
            • Tjerk MeestersFri, 07 Feb 2014 00:32:10 +0000
              • Yasuo OhgakiFri, 07 Feb 2014 01:01:45 +0000
            • Lester CaineFri, 07 Feb 2014 05:17:41 +0000
              • Sanford WhitemanFri, 07 Feb 2014 07:41:32 +0000
                • Pádraic BradyFri, 07 Feb 2014 10:54:16 +0000
              • Pádraic BradyFri, 07 Feb 2014 10:41:29 +0000
                • Lester CaineFri, 07 Feb 2014 11:20:08 +0000
                  • Lester CaineFri, 07 Feb 2014 22:10:12 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 22:45:28 +0000
                    • Pádraic BradyFri, 07 Feb 2014 23:06:28 +0000
                      • Yasuo OhgakiSat, 08 Feb 2014 03:50:17 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 23:56:29 +0000
                  • Sanford WhitemanFri, 07 Feb 2014 22:24:51 +0000
  • Solar DesignerThu, 06 Feb 2014 14:24:48 +0000Re: Fwd: little request :)
    • Yasuo OhgakiThu, 06 Feb 2014 21:45:41 +0000Re: Re: Fwd: little request :)
    • Pádraic BradyThu, 06 Feb 2014 23:44:58 +0000Re: Re: Fwd: little request :)
    • Tjerk MeestersMon, 10 Feb 2014 10:36:18 +0000Re: Re: Fwd: little request :)
      • Solar DesignerMon, 10 Feb 2014 11:45:22 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 19:50:15 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 20:09:42 +0000
        • Tjerk MeestersMon, 10 Feb 2014 23:55:41 +0000
          • Lester CaineTue, 11 Feb 2014 00:39:55 +0000
            • Robert ParkerTue, 11 Feb 2014 17:55:12 +0000
            • Robert ParkerTue, 11 Feb 2014 17:57:49 +0000
          • Solar DesignerTue, 11 Feb 2014 07:43:13 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 09:39:32 +0000
              • Solar DesignerWed, 12 Feb 2014 12:47:33 +0000
                • Pierre JoyeWed, 12 Feb 2014 14:49:38 +0000
                  • Lester CaineWed, 12 Feb 2014 16:34:14 +0000