Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72681
Return-Path: <zeev@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68359 invoked from network); 18 Feb 2014 11:46:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2014 11:46:09 -0000
Authentication-Results: pb1.pair.com header.from=zeev@zend.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=zeev@zend.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain zend.com from 209.85.220.180 cause and error)
X-PHP-List-Original-Sender: zeev@zend.com
X-Host-Fingerprint: 209.85.220.180 mail-vc0-f180.google.com  
Received: from [209.85.220.180] ([209.85.220.180:51591] helo=mail-vc0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1F/60-65468-00843035 for <internals@lists.php.net>; Tue, 18 Feb 2014 06:46:09 -0500
Received: by mail-vc0-f180.google.com with SMTP id ks9so12585223vcb.25
        for <internals@lists.php.net>; Tue, 18 Feb 2014 03:46:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:references:in-reply-to:mime-version
         :thread-index:date:message-id:subject:to:cc:content-type;
        bh=vSWE2Zcm8oGEmUVYLOLfgqUPUSQiOUHGPCFDDAe2fas=;
        b=TXP8oBYCZwN0aTnGpGGh3wbaK38tvh4GUqL7DQgZRkZbeFhYQMgFRJ9jdLGtDYS1g5
         8UZrjvNHw0MFCp/b8YnzIjw7tMTvmkKO+YOs4rRbbkdvGoStGlBcAbZjsfFy0INZmV2j
         6uz6GGUMNF+JyECMk6yg4OaFFMNFw5piq0HDRuTi0DdK09gg3y8Pxg34s8YKNXQeZqcm
         8QZt2cjoNbn67wf8dNCZiLO0hjVIM4hsA+DL3pkkNI8o/zseJsOkiXvMlhXif8z2axm8
         4RmJ+QUOKISzADHaEjJcs73N39xlRGY3VQlAAtiG2yAsrnfo/s0vA6AWaJnkm631tVzG
         fz2w==
X-Gm-Message-State: ALoCoQkVGU6VtgvIydsY3z971ZYbKxkvNA18KGNb8akzGCeyypRqzjGcgfrqk4rYoe5JNuG0hDu2/XqPVTOGeg7wEc4n63m7/BghdLYIaCOiJlUqC+0YdkCU4HWJpPOZX+APzFpRVS2n
X-Received: by 10.221.29.196 with SMTP id rz4mr20923149vcb.8.1392723966094;
 Tue, 18 Feb 2014 03:46:06 -0800 (PST)
References: <CAGa2bXbNU-8HbbRrT5v33NWJPuQKSqxQa7HYDnKdrX07qfndBw@mail.gmail.com>
In-Reply-To: <CAGa2bXbNU-8HbbRrT5v33NWJPuQKSqxQa7HYDnKdrX07qfndBw@mail.gmail.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQD49ZA6JgY/ePEgFR0D9Bs6n2u1g5xnUJQQ
Date: Tue, 18 Feb 2014 13:46:05 +0200
Message-ID: <2cb7cac279b9740f6ae011da15088ac9@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Subject: RE: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: zeev@zend.com (Zeev Suraski)

Yasuo,

This was previously discussed but I have to agree with Andrey (and maybe
even go beyond what he said) - the hash_bits change doesn't belong in this
RFC.  First, it has no security implications and it's not entirely clear
from the RFC.  Second, I don't feel that the implications of that change are
clear, beyond some mention that "this could not be an issue for almost all
apps", which personally I don't think is accurate - but either way, we need
some better analysis here.

From my point of view I don't think a few extra characters per session going
over the wire are worth the potential obscure BC break changing the default
here will cause with certain session backends and/or apps, and we shouldn't
include this change in this RFC.  If we want to compact the session id's,
proposing a change for this default can be done in a separate RFC that
discusses the pros and cons of doing it, independent of security.

Another thing that I think this RFC is missing is some clearer explanation
on what kind of apps *don't* work with the proposed changes (most notably
use_strict_mode=on and cookie_httponly).  Even though my gut is that these
two proposed changes are good - the RFC should include explanations of the
code patterns and/or types of apps and/or modules that will be affected by
this;  "Most apps should not be affected" isn't enough in an RFC IMHO.

Last - the voting period should be at least a week, right now it's 5 (or
maybe 6, depending on your POV) days.

Thanks!

Zeev

> -----Original Message-----
> From: yohgaki@gmail.com [mailto:yohgaki@gmail.com] On Behalf Of Yasuo
> Ohgaki
> Sent: Monday, February 17, 2014 6:27 AM
> To: internals@lists.php.net
> Subject: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by
> Default
>
> Hi all,
>
> This RFC changes default session settings and introduces a new setting
> that
> disables possible timing attack against session ID. All of them help to
> improve
> general session ID security except hash_bits_per_character change.
>
> NIST discourages use of SHA-1 years ago. It proposes to use
> SHA-256 as the default hash function for session. To reduce size of
> session ID
> string, hash_bits_per_character=6 is proposed.
>
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Thank you for voting!
>
> P.S. Although, the change is trivial, if anyone would like to see patch
> for this,
> I'll prepare one ASAP.
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net