Forgot to reply all, it seems. ---------- Forwarded message ---------- From: Scott Arciszewski <sc...@arciszewski.me> Date: Wed, Nov 26, 2014 at 11:59 AM Subject: Re: [PHP-DEV] Fwd: [php-src] Constant-Time bin2hex() implementation (#909) To: Ferenc Kovacs <tyr...@gmail.com>
On Wed, Nov 26, 2014 at 11:49 AM, Ferenc Kovacs <tyr...@gmail.com> wrote: > >> That's a rather extreme reaction to trying to patch string operations that >> real-world frameworks use to handle crypto secrets, don't you think? >> >> > and there are at least that much, but probably lot more usages in the > wild(see > https://github.com/search?l=php&q=bin2hex&type=Code&utf8=%E2%9C%93 for > example) where there is nothing to do with security so there is no gain for > being constant time, but those users would get the performance degradation. > I think it would be better to introduce constant time alternatives for > functions like this instead of trying to replace them and require everybody > to pay the performance price. > > ps: don't top-post please, see > http://git.php.net/?p=php-src.git;a=blob;f=README.MAILINGLIST_RULES > > -- > Ferenc Kovács > @Tyr43l - http://tyrael.hu > > I think it would be better to introduce constant time alternatives for functions like this instead of trying to replace them and require everybody to pay the performance price. I've updated my PR that adds ts_bin2hex()
