Hi Anatol, On 26 October 2015 at 21:58, Anatol Belski <anatol....@belski.net> wrote:
> Which discussions do you mean, could you please link to them? The one I > remember right now is https://github.com/php/php-src/pull/1513 , but > there's actually no obvious conclusion. Removing arc4random is quite a > radical move, but OpenBSD and NetBSD could still profit from not using > /dev/urandom and it would cost just extending the macro condition. > > Thanks > > Anatol > > There has been a lot of small discussions in the past 6 months in various places, I cannot link to all of them. Most recently https://bugs.php.net/bug.php?id=70744 which created an offline discussion between myself, Tom W and Anthony F. There have been pro and con discussions, but in the interest of security the cons weigh more heavily. The biggest con is that arc4random has been around for a long time, and different platforms/versions have implementations that range anywhere between very flawed and very strong. We cannot guarantee cryptographic quality on all platforms. We could conditionally include it on platforms where WE think it is secure (this extends beyond the use of ChaCha20 - which there hasn't been much public cryptanalysis on at all). At present it looks like the only OSes to implement the whole security model correctly (i.e. zeroing state on fork, killing process if entropy could not be obtained from the kernel, etc.) are OpenBSD 5.5+ and NetBSD 7 Do we want the responsibility of judging which implementations are secure, and maintaining that list? It's a difficult place to be in, people on one side saying it's a good idea to include it, people on the other side saying it's not. I've gone with "I'm not sure, so better to be safe"
