Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71975 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36708 invoked from network); 2 Feb 2014 06:50:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2014 06:50:48 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.174 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.174 mail-lb0-f174.google.com Received: from [209.85.217.174] ([209.85.217.174:40247] helo=mail-lb0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B9/03-30967-6CAEDE25 for ; Sun, 02 Feb 2014 01:50:47 -0500 Received: by mail-lb0-f174.google.com with SMTP id l4so4514140lbv.19 for ; Sat, 01 Feb 2014 22:50:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=mAlCNrToTTjKLJm1DT747NQ1IF3kRfbmPyQPiuqnIHs=; b=t+K819zeHx/w6R7O6DuWGDhodQdVWARowyKPmGtd3QUaX+Rp6/nv3vi2ex2ngtHfXU Zb/Gb2fZ0/nsLEGNRxikU0LhtpC8hg+RjKwkt+egOk+1g01/hZ9Mn2QZxMDg3d11zTCc +/AbT5kxvODX4enLk5K+HOif96bVWSIpCZOI/znTQEneiC2fLq57+ft4Bh0K48GqYuaI 7qO5G6cSV690AcJ+JmvddYWrblzTx4Obirx0zRsmC2EiWmhwQZlSdCEf1wIGpXGXVXcV UY/4D9jX+MbgVcaOMzkdXPPdLhd0J9cyF8vWKIzOegYPiGOKWvUkK9/7qIbCR5uM9YNR MzQg== X-Received: by 10.152.42.129 with SMTP id o1mr8844159lal.19.1391323843583; Sat, 01 Feb 2014 22:50:43 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Sat, 1 Feb 2014 22:50:03 -0800 (PST) In-Reply-To: References: Date: Sun, 2 Feb 2014 15:50:03 +0900 X-Google-Sender-Auth: acasCGkCak4eEhEh5BZsEqbYPeI Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c3505c76e52804f166d3b7 Subject: Re: [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c3505c76e52804f166d3b7 Content-Type: text/plain; charset=UTF-8 Hi all, On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki wrote: > Secure Session Module Options by Default > https://wiki.php.net/rfc/secure-session-options-by-default > > Session is core of web security. Therefore, default should be > as secure as possible by default. > > I'll open vote next week, please send comments now. > As many of already knew, use of SHA-1 is deprecated for security related use by NIST. "applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. " http://csrc.nist.gov/groups/ST/hash/policy_2006.html Current files save handler detects collision and it is out of NIST requirement regardless of hash function. Collision detection is up to save handler now. It could be check with newer session module code using PS_VALIDATE_SID_FUNC(). This API is included in the patch for https://wiki.php.net/rfc/session-lock-ini If 3rd party save handler supports PS_VALIDATE_FUNC(), collision detection can be done at session module. This RFC may be better to include this change (collision detection) also. AND/OR We may use SHA-256 as the default. This may be preferred since NIST discourages use of SHA-1 anyway. Regards, P.S. It may be too late to change. SHA-3 is coming now. -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c3505c76e52804f166d3b7--