Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97370 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14482 invoked from network); 12 Dec 2016 15:34:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Dec 2016 15:34:15 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.46 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.218.46 mail-oi0-f46.google.com Received: from [209.85.218.46] ([209.85.218.46:34932] helo=mail-oi0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/3B-27518-273CE485 for ; Mon, 12 Dec 2016 10:34:11 -0500 Received: by mail-oi0-f46.google.com with SMTP id b126so91390159oia.2 for ; Mon, 12 Dec 2016 07:34:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ulyq4qBRhHblI8dE67xDxEByBYM6Nbq5epdEARrMILY=; b=Ebh7ARMzJ6hs3/+4GA+htZHgsz/g2vLhLew26NwNM9GP72HjDGCuuCaFevVIRQjGJh v+jZ0TPhZp4sgjeTHPGNvD3zVLJAer+A0o/Q+lxPRr/OD7BgwaULa4qtUNOl2m2dRurU cmewUr5wS8WS8SnRz5jng4Jnhv2rl9SfoB2pMQUIL3P6U1uN3uwAK8k929POUFP0YYye xH9d0VsGCPG9LLZwjFH7dlZIImOxmfGa/gjM3xcPcBvui7H7+5rt4tfv7kMDnRtCb67V 9UBP9UX+eEbnu7tjTkryOmPbtAQ7vmD90tR9hCdwSjg4cXw1RF8WDmLTxkZSyrKmQwzC BAxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ulyq4qBRhHblI8dE67xDxEByBYM6Nbq5epdEARrMILY=; b=gb+WHWlMFS0haE4EH3xQrukPGWAe6YwKh1WXhHUTKBiXyYlw2OqHPz/X+0hB5REzfi Vb6EDEpJXRiClPyUBw56LNDCy+ylNARF5DoqFMNEgaRRkH2IRXJPYExSR4oD8Dm/pzxA rmA4numlJ/4U3I93mqyk2KAXG8MNCSyNp0dwSHQtyP1BLmB7IYOGy2BHYueYdEDcsr8q Qwst/w4mIenh0eJi/SS6iZbk0ujpIYTTrISM1xlD5X/gs9cjkp2eNGT5A0I/+z6zEk0h +uUxrm8tUle8oYIfBu6XhoDXwR7XkHCzKmF0DvphnxvB9XlJmORb1+uTWYf08PqcfHQ9 qNOQ== X-Gm-Message-State: AKaTC00W84vuD+0lxZnqZzyxA/er8lmlpM19b7+mTvwR7AqhGt7+b/Cx88Ifl0DrDbPZV5a9j5ZeFEDjg24T0g== X-Received: by 10.202.0.205 with SMTP id 196mr50105292oia.44.1481556848004; Mon, 12 Dec 2016 07:34:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.46.5 with HTTP; Mon, 12 Dec 2016 07:34:07 -0800 (PST) In-Reply-To: References: Date: Mon, 12 Dec 2016 10:34:07 -0500 Message-ID: To: Sammy Kaye Powers , PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] More secure defaults for openssl_public_encrypt() & openssl_private_decrypt() From: scott@paragonie.com (Scott Arciszewski) On Mon, Dec 12, 2016 at 10:26 AM, Sammy Kaye Powers wrote: > Hey internals! > > As pointed out in Paragon's excellent blog post, > openssl_public_encrypt() & openssl_private_decrypt() defaults to the > insecure OPENSSL_PKCS1_PADDING constant. > > https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong#php-openssl-rsa-bad-default > > What are your thoughts about deprecating OPENSSL_PKCS1_PADDING and > using OPENSSL_PKCS1_OAEP_PADDING as the new default? > > Thanks, > Sammy Kaye Powers > sammyk.me > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > There was a little bit of discussion here previously. http://externals.io/thread/442#email-12842 Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises