Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96041 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 91954 invoked from network); 21 Sep 2016 02:25:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 02:25:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pf0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:33662] helo=mail-pf0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2C/63-56285-7AFE1E75 for ; Tue, 20 Sep 2016 22:25:44 -0400 Received: by mail-pf0-f179.google.com with SMTP id 21so13546784pfy.0 for ; Tue, 20 Sep 2016 19:25:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=wfl3WlLeM/fRNrfTkfu3x50BGdIa0omDON+JwNnUphU=; b=y9+2Zsj3can9KG19MIPcVLt7NWNmE2d5rm+PN8LGePWJOmvKZ5zMcESw9kb1zOGqJD oiLI2rjoMIK1xFumx8zvxqBUO942ePuANHfnPK4aTA4u+FKrynVkiaSQU4+CfmYSS4pH n/JiFgBVDfwWZFGGmfXzqLtporhQrkTFaFN1Y39a3Q8r5pxf7je0iBbxEQO5nd2qGU3V 32JkQqBKbObOfRPybpBb4qufw7T/2HOOTOrM4pObWsREotHj/0qGs/shspJzW0he2ICX y3jOVbwyjs1hPDfj+5tc5kjRHxvbFXGrKNikVrHJ5ah4lNQB34py8B0d3eiaHKC3XpqG 9oGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=wfl3WlLeM/fRNrfTkfu3x50BGdIa0omDON+JwNnUphU=; b=EipHSVo+3cKw8bS+iYX8hEPBzDX53cLOycm+yLulw8Hjm7tmr+vXXfLxsOzfmr1H5/ XMxNSUXHXFS7bg5X5trM+piLapeUKmAO0G2ih0GWqB/53i/552dS21Y9x+YH9znuwnl4 j1FzA1lvbhZVdqNR2+K2wy+dL38Ak9H4BNPx6qAX2w852M0vbat5hcZU7W60vmpHuvbk jjFVIkFpjh/e6cjQtm9mLraAug/B58LfoSBJzZR4Rp8b/hDeTMkm6yyjv2SsNWrXsi1p G3IE5B0sIro/MYzfady+DJd8eUQr3vs7bj5zDnB2MJexNCM7mqnlKCnEyeWoLPP+AKFl B3Rw== X-Gm-Message-State: AE9vXwNaBEo/z31ZXNKfcf4IIJmPrvuK1/uGNTJUAR7GW0d2YxpnWdsyBjz7ET084yNlYA== X-Received: by 10.98.137.145 with SMTP id n17mr46892842pfk.170.1474424741091; Tue, 20 Sep 2016 19:25:41 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id c66sm81933917pfd.24.2016.09.20.19.25.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Sep 2016 19:25:40 -0700 (PDT) To: Scott Arciszewski , Yasuo Ohgaki References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> Cc: Thomas Hruska , PHP Internals Message-ID: <4ad4abc8-9605-fb8d-14ec-49fdbaf8b562@gmail.com> Date: Tue, 20 Sep 2016 19:25:39 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > - Do you think your proposed strategy can solve this problem entirely > without dropping djb3? > - Would randomization still help as a defense-in-depth? Note that to avoid problems with opcache we can only randomize on initial boot (even then synchronizing among different processes sharing opcache may be challenging). That means that the process would be running for extended time (at least days, in theory as long as uptime allows) with the same seed. Given that, I'm not sure how much randomization would really improve. > To elaborate on the second question: even a 4-byte prefix for the hash > function inputs that's randomly generated at $appropriateIntervalHere > might make intentional collisions harder to trigger. (Then again, maybe > not! The underlying structure of djb3 isn't exactly cryptographic.) I don't see how we can do $appropriateIntervalHere if we use opcache. We could clean the cache of course but I'm not sure server owners would be very happy if their cache dropped at random intervals with accompanying load spike. -- Stas Malyshev smalyshev@gmail.com