phpwn: PHP cookie PRNG flawed (Netscape redux)
https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf Hey, another PRNG is broken. Raise your hand if you're surprised. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpXw4d3k1gaP.pgp Description: PGP signature
Re: phpwn: PHP cookie PRNG flawed (Netscape redux)
travis+ml-cryptogra...@subspacefield.org writes: https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf He doesn't mention the php.ini variables session.entropy_length and session.entropy_file. Last I checked, their default settings were unsafe, but setting them to 16 and /dev/urandom should solve the problem he describes in the paper. Unless not. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
