Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72404 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84982 invoked from network); 8 Feb 2014 14:26:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2014 14:26:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.173 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.173 mail-qc0-f173.google.com Received: from [209.85.216.173] ([209.85.216.173:42290] helo=mail-qc0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/50-17765-7AE36F25 for ; Sat, 08 Feb 2014 09:26:48 -0500 Received: by mail-qc0-f173.google.com with SMTP id i8so7902901qcq.18 for ; Sat, 08 Feb 2014 06:26:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BaK6ITVmj8TBR2VetDsVCK/gr+MDX3XNSL4B9iyDNFk=; b=Uv4JpE9wJr3WQWKPXvc+chkOD4UswlyXyQex4lFaHT/nlnCfRuLYllIBO0aiMMd609 AhznJL8Qh5//h1njXlfEntc/K7DJmmxZzYlaiE8v5lq1o8y7kt4YJ8975rGU59J50uhP IlEsMR+mgZFzd2fsT46lUbk4nFQgvFni0iq6LiID3YhB5FEQ3PccqT2wCWfFZ3RhwJBH kqD45FJ5yVOp3jvMFB1XTbx8CuXw6nf6Gl0LF2fAnUJpu11yKSvrPjK5tt9Ox28dd8lN +GBrnWAZ3jWxI2Aahy4I5tPwKn35+9eUSNrkfqbrmRO5fcaoCmoy1dEsRZ65C9KAdrie Mkdg== MIME-Version: 1.0 X-Received: by 10.140.50.235 with SMTP id s98mr7718703qga.12.1391869604655; Sat, 08 Feb 2014 06:26:44 -0800 (PST) Received: by 10.140.18.145 with HTTP; Sat, 8 Feb 2014 06:26:44 -0800 (PST) In-Reply-To: <52F63DDE.6090600@lsces.co.uk> References: <52F61A78.1020401@lsces.co.uk> <52F62B08.6050201@ajf.me> <52F63DDE.6090600@lsces.co.uk> Date: Sat, 8 Feb 2014 15:26:44 +0100 Message-ID: To: Lester Caine Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Security Diligence From: pierre.php@gmail.com (Pierre Joye) On Sat, Feb 8, 2014 at 3:23 PM, Lester Caine wrote: > Andrea Faulds wrote: >> >> On 08/02/14 12:08, Nikita Popov wrote: >>> >>> I'm sorry, but how does this relate to the internals mailing list? >> >> >> I might be reading it wrong, but I think Lester's saying "don't change PHP >> in >> ways that force people to make their code secure, because it doesn't >> matter if >> *my* code's insecure". > > > You are reading me wrong - as is Nikita ... > My own code is doing exactly as it has done for many years now with a level > of security that the customer is happy with. Adding any more is unnecessary, > but 'security advisors' dictate otherwise without actually accessing the > risk! > But what I'm asking for is that the documentation of the attempts to fix > these perceived threats includes just a little more information so those of > us who are not so 'expert' can better understand the nature of the risk? > Simply quoting third party articles like the wikipedia one does not address > how a risk actually relates to PHP. > > Specifically looking at the 'timing attack', as I understand it, if a > comparison process scans all elements and simply sets a flag when failure is > detected which is not used until all characters have been processed. Which > is the reason for establishing 'safely' the number of characters involved. > Using 64bit functions rather than 32bit will also change the way that > process works? > > Much of the difficulty I have with PHP these days is simply trying to > understand why the 'new' method of working is better than what we did 10 or > more years ago. Good examples of practice is still very lacking even in the > latest documentation, and what goes into rfc's these days is the basis for > updating the main documentation? Lester, this is not a support list. It is your good right to stick with dead PHP versions and 10 years old code (whether it is your choice or not), but it is definitively not good to constantly posts totally off topic posts, replies or complains about what we do or don't. It is even more annoying in cases where you clearly do not understand the underlying reasons of one feature or another. That being said, I would love to see you actually contribute something for a change. Cheers, -- Pierre @pierrejoye | http://www.libgd.org