On 9/20/16 10:25 PM, Stanislav Malyshev wrote:
Note that to avoid problems with opcache we can only randomize on initial boot (even then synchronizing among different processes sharing opcache may be challenging). That means that the process would be running for extended time (at least days, in theory as long as uptime allows) with the same seed. Given that, I'm not sure how much randomization would really improve.
While randomization doesn't eliminate the problem, isn't it still a valid complication for attackers? If everybody's PHP instance is running with a different hash key, that's harder to attack than if than if they all have the same key, even if the key isn't frequently changed.
It reminds me of when Logjam was in the news and we realized it wasn't smart for everyone to use the same default DH primes.
Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
