> > > That's a rather extreme reaction to trying to patch string operations that > real-world frameworks use to handle crypto secrets, don't you think? > > and there are at least that much, but probably lot more usages in the wild(see https://github.com/search?l=php&q=bin2hex&type=Code&utf8=%E2%9C%93 for example) where there is nothing to do with security so there is no gain for being constant time, but those users would get the performance degradation. I think it would be better to introduce constant time alternatives for functions like this instead of trying to replace them and require everybody to pay the performance price.
ps: don't top-post please, see http://git.php.net/?p=php-src.git;a=blob;f=README.MAILINGLIST_RULES -- Ferenc Kovács @Tyr43l - http://tyrael.hu
