Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94175
Return-Path: <php@fleshgrinder.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57658 invoked from network); 21 Jun 2016 17:50:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2016 17:50:10 -0000
Authentication-Results: pb1.pair.com header.from=php@fleshgrinder.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=php@fleshgrinder.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 77.244.243.84 cause and error)
X-PHP-List-Original-Sender: php@fleshgrinder.com
X-Host-Fingerprint: 77.244.243.84 mx103.easyname.com  
Received: from [77.244.243.84] ([77.244.243.84:46955] helo=mx202.easyname.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FA/32-43024-F4E79675 for <internals@lists.php.net>; Tue, 21 Jun 2016 13:50:08 -0400
Received: from cable-81-173-134-219.netcologne.de ([81.173.134.219] helo=[192.168.178.20])
	by mx.easyname.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2)
	(envelope-from <php@fleshgrinder.com>)
	id 1bFPoL-0004sK-5K; Tue, 21 Jun 2016 17:50:05 +0000
Reply-To: internals@lists.php.net
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
 <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
 <cf009374-d159-886c-3a25-643ebb7f91e5@gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>, internals@lists.php.net
Message-ID: <ca211526-8f53-5d88-4c9e-4532d361f567@fleshgrinder.com>
Date: Tue, 21 Jun 2016 19:49:56 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <cf009374-d159-886c-3a25-643ebb7f91e5@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="iREkBUsQjli7Km4twxGQtaopFrixOAckq"
X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL
Subject: Re: [PHP-DEV] [RFC] RNG fixes
From: php@fleshgrinder.com (Fleshgrinder)

--iREkBUsQjli7Km4twxGQtaopFrixOAckq
Content-Type: multipart/mixed; boundary="98NKAhQW6c2JXKbHngKO1amT74iwskA6C"
From: Fleshgrinder <php@fleshgrinder.com>
Reply-To: internals@lists.php.net
To: Stanislav Malyshev <smalyshev@gmail.com>, internals@lists.php.net
Message-ID: <ca211526-8f53-5d88-4c9e-4532d361f567@fleshgrinder.com>
Subject: Re: [PHP-DEV] [RFC] RNG fixes
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
 <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
 <cf009374-d159-886c-3a25-643ebb7f91e5@gmail.com>
In-Reply-To: <cf009374-d159-886c-3a25-643ebb7f91e5@gmail.com>

--98NKAhQW6c2JXKbHngKO1amT74iwskA6C
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 6/21/2016 7:33 AM, Stanislav Malyshev wrote:
>> Mcrypt is meant to be replaced anyways and OpenSSL might be too if we
>> can come up with a nicer implementation that actually hides the
>> underlying library (e.g. sodium).
>=20
> This is another problem. So we have OpenSSL, then we have mcrypt, then
> we have another implementation like sodium... do we really expect our
> users to rewrite crypto in their apps every couple of years? That would=

> be insane. OK, we could say "have your apps work as they worked, but us=
e
> new stuff for new things" - but you propose to remove stuff?
>=20

Forgot to answer to this part, so here it comes.

The mcrypt situation is just a legacy that we need to take care.

Exposing OpenSSL was a bad idea from the very beginning if you ask me.
OpenSSL is well known of being problematic long before Heartbleed and
related things.

Ignoring the two specifics. Yes, I expect people to rewrite there crypto
every couple of years because, well, it is crypto and crypto is
something that changes every couple of years. Attacks are developed
further, key sizes are not sufficient anymore, and new technology makes
old cryptos unsafe.

Security is a topic where a language really needs to move fast if
necessary and users need to be prepared to do the same if they want to
provide good crypto. Way too many problems arise from ignoring that.

--=20
Richard "Fleshgrinder" Fussenegger


--98NKAhQW6c2JXKbHngKO1amT74iwskA6C--

--iREkBUsQjli7Km4twxGQtaopFrixOAckq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXaX5HAAoJEOKkKcqFPVVrjTMQAIcyUVpx6nPe7A/j5kJ2PF4k
HTZarHqyNlBas6DPhNOa7E2rKcPI1yZjIOSINiJsWp15yrv6QQGRdHhyREkb3Pvf
1cVBvl3+JLRrK1gRzm2jwwkiKynkc8fwjv5QSozDvlJ7R+pHFO2cv8E0KLNP4gAH
UduxXSjZ7txKZcjB97DTWZzih8GNa5AfztfCgofqeyRMNcX+nURp/RAZBfNzg420
Yavnvzfj4HlGkcoNy7FU2JVexll3HRmIvM0t9tU8V62kSdy47dsEvpc6PeVs68CT
snqszshLHG8tsmjuFxCiVxDu2pjCosO2y+FcrM+0oXbaZQ/9qqQExmAxJDq0tOzd
lZCbQRGu9Hr9aAdUZtAuCnjE2H0vrohdwMsHpnJEUi9ePWsbxrpdLx+Wgg82Zd+F
PyF7ajjOd5Z3zl5ALLIU4tWgsk6zA93kwIPIX3Ee2s+XZqLj9YqjXqDT7cDWJ+hk
2CBS8yH3rzKaecvo/7B/xcj8+/sxr+Yx/4/r8k59QqDHhv6zxdCqYUA9OAF/OHCN
9O2SVPYWnQ/ly6/1zqYBcH136leTCcpOMB1vlnRKbWkiYUAt1ELYNKdFMScB/lw/
gbxL5E6Eeaf4Tju7O5IcPjcx3fZW5egEpE0h26dF7iS4LvjCnGjVzBU46eKFG/Ir
rSaYaGMZsknJhhTz1XJs
=Vfng
-----END PGP SIGNATURE-----

--iREkBUsQjli7Km4twxGQtaopFrixOAckq--