Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72657 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50967 invoked from network); 17 Feb 2014 13:22:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Feb 2014 13:22:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:60918] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/BF-56374-02D02035 for ; Mon, 17 Feb 2014 08:22:42 -0500 Received: by mail-qc0-f170.google.com with SMTP id e9so23856074qcy.15 for ; Mon, 17 Feb 2014 05:22:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1jIBs8QxceeGMezXNPrSAqQ/CK6+tHFAKDcWougxl04=; b=O+/jz9hXdpwSl42Rpr+CBv9o3T7gBVXMStSLRw79dwg7p6BKwQiITertW/7Mhvy5Yi mr+SMfvPppF4brRzeRzhIBNxcHGHtjRzQ4cVSXwk92AoW8L53/zyr9EOguTZ7wOQ+T5v zvGg4s3j8z7SQn43Cy3BS4SbEf32C/xSPFo9s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=1jIBs8QxceeGMezXNPrSAqQ/CK6+tHFAKDcWougxl04=; b=HebvPkLr6CQRrfuvYaO2zTXJe+WzKISuTNI3YGZj30cuzY+SiabqO1clj3b68emvLG D/TvlOE5jcZXic+GKXcjzUS5b6nA+FEh1/sRHo9s+vpwzA/agNZjoG9Ro+P1ZZ3RDAlT q9jPFkh6kD6Oeajbmiiv4uK0mijDA8MQli3MQc8Ja102QyzDNG4tEe5dU/l1DBy4SEVE Lzo5UrZlgGLZ3/GamL5qHVZDylTqh7vdjwtG5v/5ky4xX20u0MXj7zlJzcfm1x8HRdE5 Q8MArfHRJmRxuQeNqU3D4DBfS3swsiuMOfqLXgfHkDbDHfBmcPqeMdn1J2TERWcLcGgZ MANg== X-Gm-Message-State: ALoCoQmbfey/1gYyl0sBcTJXIM0FAQreBoXrgOUpsi6Pd/OVM4cVc6WAhbrH1nhf+UgKEE28QAqt MIME-Version: 1.0 X-Received: by 10.224.60.131 with SMTP id p3mr34503990qah.27.1392643357540; Mon, 17 Feb 2014 05:22:37 -0800 (PST) Received: by 10.96.90.6 with HTTP; Mon, 17 Feb 2014 05:22:37 -0800 (PST) In-Reply-To: References: Date: Mon, 17 Feb 2014 15:22:37 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default From: narf@devilix.net (Andrey Andreev) Hi, On Mon, Feb 17, 2014 at 11:40 AM, Yasuo Ohgaki wrote: > Hi Andrey, > > On Mon, Feb 17, 2014 at 5:11 PM, Andrey Andreev wrote: >> >> I didn't want to interrupt a vote, but this 'id_length' setting was >> not initially a part of the RFC and it's just now that I see it. > > > I noticed possible attack during timing attack discussion. Therefore, > I've added this. User defined, 3rd party session or certain system's > save handler could be vulnerable. > > Simplest one would be file system with liner directory search. It would > be possible to get 1st session ID on the system with timing attack. > I suppose this scenario is possible with embedded systems. If it is > affected, it would be very easy to attack by timing. We cannot assure > system, 3rd party or user save handler is timing safe because we > cannot control implementation. Setting minimum length removes > possibility of the attack. > > I might post mail in different thread, sorry. > >> I don't see how it relates to timing attacks. >> If it is about comparing at least N characters of the session ID >> before rejecting one, then why not just compare all of them? ID length >> is public information, anybody can see what it is by simply looking at >> what the application gives them. >> And finally, the setting name itself is misleading - it doesn't make >> it clear that it's about minimum length. > > > I agree. Java has similar name setting with different semantics. > Name could be anything. Better name would be appreciated. This still doesn't explain how it would work. And why is it necessary as a setting instead of auto-detecting it? The valid length should be easy to calculate. Regards, Andrey.