Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94380 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67230 invoked from network); 5 Jul 2016 03:00:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jul 2016 03:00:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:55759] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1A/34-30328-1C22B775 for ; Mon, 04 Jul 2016 23:00:19 -0400 Received: (qmail 51744 invoked by uid 89); 5 Jul 2016 03:00:13 -0000 Received: from unknown (HELO mail-qt0-f171.google.com) (yohgaki@ohgaki.net@209.85.216.171) by 0 with ESMTPA; 5 Jul 2016 03:00:13 -0000 Received: by mail-qt0-f171.google.com with SMTP id c34so95013190qte.0 for ; Mon, 04 Jul 2016 20:00:12 -0700 (PDT) X-Gm-Message-State: ALyK8tKfsKjElU/iPxBhSULJ1KR0XfZsehvjtnAbH0mzYjuNITKZFTlvA6FsrG7ewazKpSnOtOG1MWSAKdZBuQ== X-Received: by 10.200.42.43 with SMTP id k40mr23439852qtk.98.1467687606575; Mon, 04 Jul 2016 20:00:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.17.33 with HTTP; Mon, 4 Jul 2016 19:59:27 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Jul 2016 11:59:27 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Dan Ackroyd Cc: "internals@lists.php.net" , Dan Ackroyd , Stanislav Malyshev Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC][VOTE] Session ID without hashing From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Dan, On Tue, Jul 5, 2016 at 9:36 AM, Dan Ackroyd wrote: >> Could you share the reason why against this change? > > The RFC is doing separate things: No. It simply follows best practice not to reinvent wheel and keep things simple. > > * Using a proper random number generator - which is probably a good > thing, and I probably would vote/support that change by itself. Use of not a really random values like pid and time is bad practice. > > * Removing old stuff for performance reasons - probably a bad thing, > as minor performance improvements don't justify changing the ini > settings imo. It's not an objective, but side effect improvement. > > * Slipping in a change to make 'session.use_strict_mode' be enbled by > default. I actually agree with this change, but I don't like how it's > been combined into an unrelated RFC. There is a request for inclusion, but I made separate RFC. Besides that making separate RFCs for this kind of simple mandatory change does not make much sense. I have too many RFCs already. I created RFC for it, though. > * Exposing information that could be useful to an attacker, from the RFC: I don't understand this part. > >> If PRNG has vulnerability that generates predictable value, exposing >> raw PRNG state helps attackers. Although, this is unlikely with modern PRNGs, but >> risk is there. > > I don't agree that faster session generation is worth exposing the > random number generator in a completely known way to the outside > world. Reading an extra 60 bytes almost certainly does nothing to > mitigate that exposure. Don't miss the basis of this RFC. It's not PRNG, but CSPRNG. Exposure of raw CSPRNG should not be a security issue at all by CSPRNG definition. Additional random data that read from CSPRNG should be good enough mitigation. > >> cryptographers recommends >> not to reinvent crypt related functions/features. > > They also recommend reducing your attack surface as much as possible, > not opening it up to the point where you're relying on the CSPRNG to > work perfectly to avoid having a security hole. Use of poor random sources like pid and time is bad practice. Old SSL used multiple hashes to mitigate hash functions' vulnerabilities, but this method is not used today for reason. > > But more importantly, as I wrote before > (http://news.php.net/php.internals/90940) I don't think the session > extension is in a state where incremental improvements are a good way > to proceed: > >> The problem is that you're trying to build on a foundation of sand. >> The session handling works but is incredibly fragile. > >> To me, there are two good ways to proceed: > >> i) Develop a new session extension, that doesn't depend on magic >> behaviour of globals and leave the current session handler as it is. >> The new session extension could be shipped as a 'work in progress' when >> it's good enough, before PHP 8. Then when it's stable, we could figure >> out how to transition users from the old extension. Basic design of session module is good enough, IMHO. Even if we rewrite session module, it will end up with similar implementation. Complexity of state(session) management cannot be reduced by rewrite. Object interface has/had lots of problems. This part could be improved one by one. If nobody objects, I can clean them up with a single RFC. >> >> ii) Develop a session handler in userland code only. PHP is powerful >> enough to support this. Although obviously there are big benefits to >> shipping a session handler with PHP, I don't see any need for it to be >> done internally other than we don't currently have a way of shipping >> userland code with an extension. I'm hoping that before PHP 8, the >> ability to ship PHP code as part of extensions would be in place. I think this is not good option. Session management is complex and difficult to understand what it should be. I've proposed both minimal/simple and complex/comprehensive timestamp based session management which is mandatory for session management, but both of RFCs are declined. I suppose this proved difficulty of proper session management. It's slow when it is implemented as PHP script also. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net