Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72776
Return-Path: <me@rouvenwessling.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94343 invoked from network); 23 Feb 2014 21:05:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Feb 2014 21:05:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender)
X-PHP-List-Original-Sender: me@rouvenwessling.de
X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6
Received: from [5.35.242.46] ([5.35.242.46:56473] helo=lvps5-35-242-46.dedicated.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5E/F4-57053-CA26A035 for <internals@lists.php.net>; Sun, 23 Feb 2014 16:05:48 -0500
Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001)
	id 8B63E69F14B9; Sun, 23 Feb 2014 22:05:45 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lvps5-35-242-46.dedicated.hosteurope.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=unavailable version=3.3.1
Received: from rouvens-air-7.localdomain (xdsl-85-197-12-214.netcologne.de [85.197.12.214])
	by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id CE13B69F04F6;
	Sun, 23 Feb 2014 22:05:43 +0100 (CET)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
In-Reply-To: <CAGa2bXYz0o=swhqt=OrwdxFScA=LuxZQ=8vpvMxEJj7_FTZUeQ@mail.gmail.com>
Date: Sun, 23 Feb 2014 22:05:43 +0100
Cc: PHP internals <internals@lists.php.net>,
 Solar Designer <solar@openwall.com>
Content-Transfer-Encoding: quoted-printable
Message-ID: <8092191F-9B60-43C3-91A8-095FB74C02A5@rouvenwessling.de>
References: <9E3AA302-1EC1-4497-996F-716555CAAB64@rouvenwessling.de> <3EAEC401-F0FF-42E6-8B93-41D2E8658A80@rouvenwessling.de> <47C11B57-84E9-4805-9952-1E78A9F112C5@rouvenwessling.de> <CAGa2bXYz0o=swhqt=OrwdxFScA=LuxZQ=8vpvMxEJj7_FTZUeQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
X-Mailer: Apple Mail (2.1822)
Subject: Re: [PHP-DEV] [VOTE] Timing attack safe string comparison function
From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=)

Hi Yasuo,

On 23.02.2014, at 21:59, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> I did some experiments. It seems it's good to implement timing safe =
comparison in engine. i.e. We can make =3D=3D/=3D=3D=3D secure by =
default like Python. It would be much safer get rid of all timing from =
PHP.
>=20
> We need new RFC to include the change in engine.


That's not how I read that discussion (though I might have missed a =
mail). Also personally I don't like it. I don't see that the supposed =
gain in security is worth the performance implication. Also if it turns =
out there's a bug, and we'd have to make it 100 times slower for some =
reason, than that's not a big deal for a function like hash_equals. It =
is however if it affects all comparisons.

Since I don't believe in that change, I'm not interested in proposing =
that RFC.

Best regards
Rouve=