Hi Yasuo,
On 23.02.2014, at 21:59, Yasuo Ohgaki <[email protected]> wrote:
> I did some experiments. It seems it's good to implement timing safe comparison in engine.
> i.e. We can make ==/=== secure by default like Python. It would be much safer get rid of all timing
> from PHP.
>
> We need new RFC to include the change in engine.
That's not how I read that discussion (though I might have missed a mail). Also personally I
don't like it. I don't see that the supposed gain in security is worth the performance
implication. Also if it turns out there's a bug, and we'd have to make it 100 times slower
for some reason, than that's not a big deal for a function like hash_equals. It is however if
it affects all comparisons.
Since I don't believe in that change, I'm not interested in proposing that RFC.
Best regards
Rouve