Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69148 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53534 invoked from network); 16 Sep 2013 15:10:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Sep 2013 15:10:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=addw@phcomp.co.uk; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=addw@phcomp.co.uk; sender-id=permerror Received-SPF: pass (pb1.pair.com: domain phcomp.co.uk designates 78.32.209.33 as permitted sender) X-PHP-List-Original-Sender: addw@phcomp.co.uk X-Host-Fingerprint: 78.32.209.33 freshmint.phcomp.co.uk Received: from [78.32.209.33] ([78.32.209.33:52458] helo=mint.phcomp.co.uk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 43/74-27599-35F17325 for ; Mon, 16 Sep 2013 11:10:12 -0400 Received: from addw by mint.phcomp.co.uk with local (Exim 4.72) (envelope-from ) id 1VLaRD-0002oX-H1 for internals@lists.php.net; Mon, 16 Sep 2013 16:10:07 +0100 Date: Mon, 16 Sep 2013 16:10:07 +0100 To: internals@lists.php.net Message-ID: <20130916151007.GI3919@phcomp.co.uk> Mail-Followup-To: internals@lists.php.net References: <20130916105630.GZ3919@phcomp.co.uk> <1379332618.3097.8363.camel@guybrush> <20130916124416.GF3919@phcomp.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130916124416.GF3919@phcomp.co.uk> Organization: Parliament Hill Computers Ltd User-Agent: Mutt/1.5.20 (2009-12-10) Subject: Re: [PHP-DEV] PHP Crypt functions - security audit From: addw@phcomp.co.uk (Alain Williams) On Mon, Sep 16, 2013 at 01:44:16PM +0100, Alain Williams wrote: > > Note that most of these things don't refer to PHP directly. i.e. > > encryption between user and PHP is usually done by the web server. > > Encryption between PHP and databases by database libraries. If > > applications built on top of PHP don't do proper end-to-end encryption > > it is also no issue of the platform in itself. > > I am aware of that. Unless we are careful all the components in an application > stack (of which PHP is just one part) will just sit on their hands and tell > people to look elsewhere. I am trying to kick start something that other > components will pick up and do their bit. One other point is that the functions in the various libraries (at the C programming level) have got to be called with all manner of arguments, some of which are not visible at the PHP level. Are these the correct ones ? The difference between something that works and something that is really secure can, sometimes, be subtle/non_obvious. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include