On 9/20/16 10:25 PM, Stanislav Malyshev wrote:
Note that to avoid problems with opcache we can only randomize on
initial boot (even then synchronizing among different processes sharing
opcache may be challenging). That means that the process would be
running for extended time (at least days, in theory as long as uptime
allows) with the same seed. Given that, I'm not sure how much
randomization would really improve.

While randomization doesn't eliminate the problem, isn't it still a valid complication for attackers? If everybody's PHP instance is running with a different hash key, that's harder to attack than if than if they all have the same key, even if the key isn't frequently changed.

It reminds me of when Logjam was in the news and we realized it wasn't smart for everyone to use the same default DH primes.


PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to