To those writing programming language benchmarks: Stop benchmarking rand(). You are hurting security by penalizing default CSPRNG use.
-
-
Replying to @pcwalton
Similar: web framework benchmarks that penalize rails for: - signed cookies by default - verifying signed cookies by default - bcrypt by default (constant time hashing) It takes a bit of time to do those things, but I don't mind paying 1ms for security by default.
4 replies 16 retweets 63 likes -
I don't understand where 1ms comes from. If you authenticate a ~100b cookie with hmac(sha1), it should take microseconds. bcrypt is only relevant for password storage (session establishment), not for any other request.
1 reply 0 retweets 1 like -
Replying to @NovalisDMT @pcwalton
It's a bunch of different things that add up. Also please feel free to write a framework that only uses bcrypt in the "right requests" and establishes a programming model around it.
1 reply 0 retweets 1 like -
I'm OK with heavyweight frameworks that do lots for you. But I don't think it's right to blame security for a 1ms overhead. I'm not a security expert, tho, so maybe I am missing how bcrypt is supposed to be used. If so, I want to be corrected so I don't write insecure code!
1 reply 0 retweets 1 like
I don't think we need to spend a lot of time discussing 1ms of overhead is my point. But there's a lot of security by default in rails: CSRF protection, XSS protection, secure cookies, "strong parameters", various DOS mitigations, etc. It adds up.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.