[145629] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: phpwn: PHP cookie PRNG flawed (Netscape redux)

daemon@ATHENA.MIT.EDU (Chris Palmer)
Thu Aug 5 14:16:03 2010

Date: Thu, 5 Aug 2010 10:33:17 -0700
From: Chris Palmer <chris@noncombatant.org>
To: cryptography@metzdowd.com
In-Reply-To: <20100805170937.GA17344@subspacefield.org>

travis+ml-cryptography@subspacefield.org writes:

> https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf

He doesn't mention the php.ini variables session.entropy_length and
session.entropy_file. Last I checked, their default settings were unsafe,
but setting them to 16 and /dev/urandom should solve the problem he
describes in the paper.

Unless not.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[145629] in cryptography@c2.net mail archive

Re: phpwn: PHP cookie PRNG flawed (Netscape redux)

daemon@ATHENA.MIT.EDU (Chris Palmer)Thu Aug 5 14:16:03 2010

daemon@ATHENA.MIT.EDU (Chris Palmer)
Thu Aug 5 14:16:03 2010