*** Joins: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au) | 01:19 | |
dhx1 | nextgens: thanks for the patches, I'll look at them this weekend -- sorry for the delay | 02:32 |
---|---|---|
nextgens | it's fine; I've been busy myself and didn't submit the main one yet | 02:33 |
nextgens | for the auth cookie, I took off the substr() call, making it way longer than it was | 02:36 |
dhx1 | thanks | 02:36 |
nextgens | well, arguably that's a bad thing as it's sent every single request | 02:36 |
nextgens | 128bits of entropy ought to be enough | 02:36 |
dhx1 | yep | 02:36 |
nextgens | but it shouldn't be 'cut' using substr() | 02:37 |
dhx1 | nope, timing issues | 02:37 |
nextgens | and it should be the less significant bits of the hash, rather than the MSB like it was | 02:37 |
dhx1 | hmmm, so you're not using the raw output of OpenSSL's PRNG or /dev/urandom -- you're first hashing some of this data and truncating a certain amount from the hash? | 02:38 |
nextgens | there's two main reasons why you'd want to hash: | 02:40 |
nextgens | - ensure there's no side-channel in case your PRNG is flawed | 02:40 |
nextgens | - ensure that the output is uniformly distributed (so that base64 encoding it will be constant-size most of the time) | 02:41 |
nextgens | arguably these are very weak reasons, and could do without | 02:42 |
dhx1 | so I take it you're base64 encoding a raw (binary) hash string? | 02:42 |
nextgens | yes | 02:42 |
dhx1 | rather than truncating a hexadecimal notation? | 02:42 |
dhx1 | good :) | 02:42 |
*** Quits: kirillka (~Miranda@195.242.142.17) (Read error: Connection reset by peer) | 02:43 | |
dhx1 | with these changes (+ more upcoming) I wouldn't be surprised if MantisBT becomes one of the most secure web apps | 02:43 |
*** Joins: kirillka (~Miranda@195.242.142.17) | 02:43 | |
nextgens | that being said, I really think that this session management is madness, and should be let in the hands of php | 02:43 |
dhx1 | yes, agreed | 02:43 |
*** Quits: dhx1 (~anonymous@60-242-247-232.static.tpgi.com.au) (Quit: Leaving) | 05:57 | |
*** Quits: kirillka (~Miranda@195.242.142.17) (Quit: kirillka) | 06:55 | |
GitHub13 | [mantisbt] dregad pushed 2 new commits to master: http://git.io/H77qag | 08:54 |
GitHub13 | [mantisbt/master] SOAP API: calling mc_issue_update unduly updated bugnotes - Damien Regad | 08:54 |
GitHub13 | [mantisbt/master] LDAP binding calls are made even if $g_login_method <> LDAP - Damien Regad | 08:54 |
GitHub28 | [mantisbt] dregad pushed 2 new commits to master-1.2.x: http://git.io/27Bj9g | 08:54 |
GitHub28 | [mantisbt/master-1.2.x] SOAP API: calling mc_issue_update unduly updated bugnotes - Damien Regad | 08:54 |
GitHub28 | [mantisbt/master-1.2.x] LDAP binding calls are made even if $g_login_method <> LDAP - Damien Regad | 08:54 |
*** Quits: dregad (~dregad@155.250.128.35) (Quit: Ex-Chat) | 09:03 | |
*** Joins: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com) | 11:00 | |
paulr | moo | 15:12 |
*** Quits: paulr (~IceChat09@cpc1-enfi15-2-0-cust580.hari.cable.virginmedia.com) (Quit: Pull the pin and count to what?) | 16:14 | |
*** Quits: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection) | 17:00 | |
*** Joins: sdfjkljkdfsljkl (~sdfjkljkd@static.96.23.63.178.clients.your-server.de) | 17:00 | |
*** Joins: kirillka (~Miranda@195.242.142.17) | 22:48 |
Generated by irclog2html.py 2.10.0 by Marius Gedminas - find it at mg.pov.lt!