Predictable Nonce? #14

StormTide opened this Issue Jan 3, 2014 · 2 comments


None yet

3 participants


I'm not sure of implications yet, but this nonce appears to be predictable. If non-predictability is important (as it is for most nonces) suggest change to openssl_random_pseudo_bytes.

klali commented Jan 7, 2014


The server_nonce field is only used inside the synclib code to keep track of entries in the queue table.

I think it's ok to have it predictable here, though it might still be worth to change to something better. The problem with openssl_random_pseudo_bytes() is that it would make us non-compatible with php 5.2 (though that might not be an issue any more?)



PHP 5.2 reached EOL over three years ago:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment