Hi Stas,
On Wed, Apr 13, 2016 at 12:50 PM, Stanislav Malyshev
wrote:
>> Yes and no.
>> Patch uses php_random_bytes(), so it uses appropriate PRNG for the system.
>> php_random_bytes() is supposed to be available always.
>
> True, but is it always OK to export its state to anybody who asks, on
> d
Hi!
> Yes and no.
> Patch uses php_random_bytes(), so it uses appropriate PRNG for the system.
> php_random_bytes() is supposed to be available always.
True, but is it always OK to export its state to anybody who asks, on
demand, in unlimited numbers? I'm not so sure.
> Experts say secure PRNG l
Hi Stas,
On Wed, Apr 13, 2016 at 1:12 AM, Stanislav Malyshev wrote:
>
>> PRNG like /dev/urandom is supposed to be secure, but fair point. It
>> may be good idea keeping old hash based session ID just in case
>> someone find vulnerability. I suppose it's unlikely with modern PRNGs,
>> though.
>
>
Hi Andrey,
On Tue, Apr 12, 2016 at 8:12 PM, Andrey Andreev wrote:
>
> On Tue, Apr 12, 2016 at 2:04 PM, Yasuo Ohgaki wrote:
>>
>> Hi Philip,
>>
>> On Tue, Apr 12, 2016 at 5:38 PM, Philip Hofstetter
>> wrote:
>> > On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner wrote:
>> >> On 08/04/16 04:17,
Hi!
> PRNG like /dev/urandom is supposed to be secure, but fair point. It
> may be good idea keeping old hash based session ID just in case
> someone find vulnerability. I suppose it's unlikely with modern PRNGs,
> though.
That assumes we use /dev/urandom directly and it is always available on
al
Hi,
On Tue, Apr 12, 2016 at 2:04 PM, Yasuo Ohgaki wrote:
> Hi Philip,
>
> On Tue, Apr 12, 2016 at 5:38 PM, Philip Hofstetter
> wrote:
> > On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner wrote:
> >> On 08/04/16 04:17, Yasuo Ohgaki wrote:
> >>
> >>> PRNG like /dev/urandom is supposed to be sec
Hi Philip,
On Tue, Apr 12, 2016 at 5:38 PM, Philip Hofstetter
wrote:
> On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner wrote:
>> On 08/04/16 04:17, Yasuo Ohgaki wrote:
>>
>>> PRNG like /dev/urandom is supposed to be secure, but fair point. It
>>> may be good idea keeping old hash based session
Hi Michael,
On Tue, Apr 12, 2016 at 5:21 PM, Michael Wallner wrote:
>> PRNG like /dev/urandom is supposed to be secure, but fair point. It
>> may be good idea keeping old hash based session ID just in case
>> someone find vulnerability. I suppose it's unlikely with modern PRNGs,
>> though.
>
> I'
Hi
On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner wrote:
> On 08/04/16 04:17, Yasuo Ohgaki wrote:
>
>> PRNG like /dev/urandom is supposed to be secure, but fair point. It
>> may be good idea keeping old hash based session ID just in case
>> someone find vulnerability. I suppose it's unlikely w
On 08/04/16 04:17, Yasuo Ohgaki wrote:
> PRNG like /dev/urandom is supposed to be secure, but fair point. It
> may be good idea keeping old hash based session ID just in case
> someone find vulnerability. I suppose it's unlikely with modern PRNGs,
> though.
I've come to think that "unlikely" is s
Hi Stas,
On Fri, Apr 8, 2016 at 8:36 AM, Stanislav Malyshev wrote:
>> Session module does not require hashing to generate session ID. This
>> RFC removes hashing from session module and enable use_strict_mode as
>> an insurance for broken RNG.
>>
>> https://wiki.php.net/rfc/session-id-without-has
Hi!
> Session module does not require hashing to generate session ID. This
> RFC removes hashing from session module and enable use_strict_mode as
> an insurance for broken RNG.
>
> https://wiki.php.net/rfc/session-id-without-hashing
I'm not sure why that should be the default. First of all, I'm
On 06.04.2016 07:47, Yasuo Ohgaki wrote:
> Session module does not require hashing to generate session ID. This
> RFC removes hashing from session module and enable use_strict_mode as
> an insurance for broken RNG.
>
> https://wiki.php.net/rfc/session-id-without-hashing
I cannot talk about the me
Hi all,
Session module does not require hashing to generate session ID. This
RFC removes hashing from session module and enable use_strict_mode as
an insurance for broken RNG.
https://wiki.php.net/rfc/session-id-without-hashing
Comments are appreciated!
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.
14 matches
Mail list logo
