Re: [RFC] Timing attack safe string comparison function

From: Joe Watkins Date: Mon, 23 Dec 2013 09:09:06 +0000

Subject: Re: [RFC] Timing attack safe string comparison function

References: 1 Groups: php.internals

Request: Send a blank email to internals+get-70847@lists.php.net to get a copy of this message

On 12/22/2013 05:08 PM, Rouven Weßling wrote:
Hi internals,

I'd like to propose this RFC to introduce a time-constant string comparison function: https://wiki.php.net/rfc/timing_attack

I will not open the voting before January 7 to account for holidays.

Best regards
Rouven


Morning,

	This does not appear to solve any problems, it appears to add another function, for that function to solve any problems it must be deployed.
	So the RFC relies on everyone swapping out every security sensitive string comparison with the new function, which simply will not happen.

	I'm up for doing something about security, however, this doesn't actually do that, what it does is add a (generically named) function that nobody is very likely to deploy, and doesn't fix the vulnerability in existing code ... which surely has to be the aim of anything targeted at security - existing code.

	Obviously, we cannot really change all string comparisons to use security sensitive logic, so this isn't something we can really solve everywhere from the core, some action must be taken by the user ...

	It might have more traction if the function were named password_compare or hash_compare or something similar that gives everyone the idea that it is not simply a string comparison function but the correct way to verify in particular passwords/hashes or whatever. I'd be much more inclined to say that's a good idea, providing a full set of tools for password related foo.

Cheers
Joe

Thread (40 messages)

Rouven WeßlingSun, 22 Dec 2013 17:08:09 +0000
Andrea FauldsSun, 22 Dec 2013 17:25:48 +0000
Rouven WeßlingMon, 23 Dec 2013 09:45:29 +0000
Joe WatkinsMon, 23 Dec 2013 10:01:26 +0000
Joe WatkinsMon, 23 Dec 2013 10:03:43 +0000
Yasuo OhgakiMon, 23 Dec 2013 22:30:36 +0000
Jake A. SmithTue, 24 Dec 2013 03:59:57 +0000
Thomas HruskaTue, 24 Dec 2013 04:35:15 +0000
Yasuo OhgakiTue, 24 Dec 2013 06:37:56 +0000
Thomas HruskaTue, 24 Dec 2013 08:28:36 +0000
Sara GolemonFri, 27 Dec 2013 13:57:51 +0000
Adam HarveyFri, 27 Dec 2013 18:12:23 +0000
Yasuo OhgakiFri, 27 Dec 2013 21:57:00 +0000
Jake A. SmithSat, 28 Dec 2013 00:02:53 +0000
Yasuo OhgakiSat, 28 Dec 2013 00:39:06 +0000
Andrea FauldsSat, 28 Dec 2013 01:41:10 +0000
Sanford WhitemanSat, 28 Dec 2013 07:31:32 +0000
Rouven WeßlingSun, 19 Jan 2014 22:40:22 +0000
Stas MalyshevFri, 27 Dec 2013 19:44:21 +0000
Mateusz KocielskiFri, 27 Dec 2013 09:04:07 +0000
Pierre JoyeFri, 27 Dec 2013 09:07:38 +0000
Rouven WeßlingFri, 27 Dec 2013 13:55:39 +0000
Sara GolemonFri, 27 Dec 2013 14:03:14 +0000
Tjerk MeestersMon, 23 Dec 2013 14:15:06 +0000
Yasuo OhgakiSun, 22 Dec 2013 23:55:02 +0000
Tjerk MeestersMon, 23 Dec 2013 01:26:05 +0000
Joe WatkinsMon, 23 Dec 2013 09:09:06 +0000Re: [RFC] Timing attack safe string comparison function
Yasuo OhgakiMon, 23 Dec 2013 09:45:50 +0000Re: Re: [RFC] Timing attack safe string comparison function
Stas MalyshevMon, 23 Dec 2013 10:11:39 +0000
Joe WatkinsMon, 23 Dec 2013 10:20:46 +0000
Rouven WeßlingMon, 23 Dec 2013 10:26:42 +0000
Joe WatkinsMon, 23 Dec 2013 10:42:41 +0000
Joe WatkinsMon, 23 Dec 2013 10:50:01 +0000
Marco PivettaMon, 23 Dec 2013 11:04:10 +0000
Joe WatkinsMon, 23 Dec 2013 11:16:47 +0000
Joe WatkinsMon, 23 Dec 2013 11:19:25 +0000
Marco PivettaMon, 23 Dec 2013 11:25:35 +0000
Rouven WeßlingMon, 23 Dec 2013 16:46:14 +0000
Joe WatkinsMon, 23 Dec 2013 19:45:58 +0000
Iwan LuijksFri, 27 Dec 2013 20:15:53 +0000RE: [PHP-DEV] [RFC] Timing attack safe string comparison function

« previous	php.internals (#70847)	next »

From:	Joe Watkins	Date:	Mon, 23 Dec 2013 09:09:06 +0000
Subject:	Re: [RFC] Timing attack safe string comparison function
References:	1	Groups:	php.internals
Request:	Send a blank email to internals+get-70847@lists.php.net to get a copy of this message