null bytes + bcrypt = problem:http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html …
-
-
Replying to @ircmaxell
@ircmaxell While bcrypt is currently most relevant and while its key setup relies on NUL being special, I think we shouldn't single it out1 reply 0 retweets 0 likes -
Replying to @solardiz
@ircmaxell I agree with@solardiz - this has nothing to do with bcrypt and everything to do with PHP's misleading API for crypt wrappers.2 replies 0 retweets 0 likes -
Replying to @RichFelker
@RichFelker@solardiz well, I'd argue that using c-strings for secrets (even passwords) is an issue. One that I hope future designs fix.2 replies 0 retweets 1 like -
Replying to @ircmaxell
@ircmaxell@RichFelker Sure. The temporary PHS() C API that PHC candidates use accepts pointers and lengths separately.1 reply 0 retweets 0 likes -
Replying to @solardiz
@solardiz@ircmaxell In that case the ideal behavior is probably to check the full length for nul bytes and error-out early.3 replies 0 retweets 0 likes
@solardiz @ircmaxell That prevents the processing of data that will be silently misinterpreted in other contexts.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.