Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96058 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42488 invoked from network); 21 Sep 2016 13:51:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 13:51:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.67 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 173.203.187.67 smtp67.iad3a.emailsrvr.com Received: from [173.203.187.67] ([173.203.187.67:44419] helo=smtp67.iad3a.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5E/D5-04117-27092E75 for ; Wed, 21 Sep 2016 09:51:47 -0400 Received: from smtp25.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp25.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id D293E2027C; Wed, 21 Sep 2016 09:51:43 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp25.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id B99DE2020E; Wed, 21 Sep 2016 09:51:43 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:587 (trex/5.7.7); Wed, 21 Sep 2016 09:51:43 -0400 To: Stanislav Malyshev References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <4ad4abc8-9605-fb8d-14ec-49fdbaf8b562@gmail.com> Cc: PHP Internals Message-ID: Date: Wed, 21 Sep 2016 09:51:32 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <4ad4abc8-9605-fb8d-14ec-49fdbaf8b562@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: fsb@thefsb.org (Tom Worster) On 9/20/16 10:25 PM, Stanislav Malyshev wrote: > Note that to avoid problems with opcache we can only randomize on > initial boot (even then synchronizing among different processes sharing > opcache may be challenging). That means that the process would be > running for extended time (at least days, in theory as long as uptime > allows) with the same seed. Given that, I'm not sure how much > randomization would really improve. While randomization doesn't eliminate the problem, isn't it still a valid complication for attackers? If everybody's PHP instance is running with a different hash key, that's harder to attack than if than if they all have the same key, even if the key isn't frequently changed. It reminds me of when Logjam was in the news and we realized it wasn't smart for everyone to use the same default DH primes. Tom