Hi, On Tue, Apr 12, 2016 at 2:04 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi Philip, > > On Tue, Apr 12, 2016 at 5:38 PM, Philip Hofstetter > <phofstet...@sensational.ch> wrote: > > On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner <m...@php.net> wrote: > >> On 08/04/16 04:17, Yasuo Ohgaki wrote: > >> > >>> PRNG like /dev/urandom is supposed to be secure, but fair point. It > >>> may be good idea keeping old hash based session ID just in case > >>> someone find vulnerability. I suppose it's unlikely with modern PRNGs, > >>> though. > >> > >> I've come to think that "unlikely" is still a bad precondition with > >> regards to security... :) > > > > however, if a vulnerability is found in /dev/urandom, that would be a > > stop-what-you're-doing-and-patch moment anyways because so much stuff > > depends on /dev/(u)random not producing predictable output. > > > > If /dev/urandom is not to be trusted, you have to bring your server > > offline right then. The fact that PHP would continue to produce more > > secure session IDs won't help you much. > > If there is such severe vulnerability, not only session but also many crypt > related features cannot be trusted. > > Anyway, I'll add mitigation that reads random length of bytes from PRNG. > This should be good enough to hide PRNG state. Expert comments on > this is appreciated. > > How are you going to read a *random* length of bytes from the randomness source itself? That's a chicken and egg problem. :) Cheers, Andrey.
