Hi Andrey, On Tue, Apr 12, 2016 at 8:12 PM, Andrey Andreev <n...@devilix.net> wrote: > > On Tue, Apr 12, 2016 at 2:04 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> >> Hi Philip, >> >> On Tue, Apr 12, 2016 at 5:38 PM, Philip Hofstetter >> <phofstet...@sensational.ch> wrote: >> > On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner <m...@php.net> wrote: >> >> On 08/04/16 04:17, Yasuo Ohgaki wrote: >> >> >> >>> PRNG like /dev/urandom is supposed to be secure, but fair point. It >> >>> may be good idea keeping old hash based session ID just in case >> >>> someone find vulnerability. I suppose it's unlikely with modern PRNGs, >> >>> though. >> >> >> >> I've come to think that "unlikely" is still a bad precondition with >> >> regards to security... :) >> > >> > however, if a vulnerability is found in /dev/urandom, that would be a >> > stop-what-you're-doing-and-patch moment anyways because so much stuff >> > depends on /dev/(u)random not producing predictable output. >> > >> > If /dev/urandom is not to be trusted, you have to bring your server >> > offline right then. The fact that PHP would continue to produce more >> > secure session IDs won't help you much. >> >> If there is such severe vulnerability, not only session but also many >> crypt >> related features cannot be trusted. >> >> Anyway, I'll add mitigation that reads random length of bytes from PRNG. >> This should be good enough to hide PRNG state. Expert comments on >> this is appreciated. >> > > How are you going to read a *random* length of bytes from the randomness > source itself? That's a chicken and egg problem. :)
If you say so, current implementation is also vulnerable :) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
