Update README.md

author: Scott <scott@paragonie.com> 2016-03-11 19:45:17 -0500
committer: Scott <scott@paragonie.com> 2016-03-11 19:45:17 -0500
commit: 7f41537e157570b456ab842430b750a943d65acb (patch)
tree: bf7997860df2f4f3d0f2ed1a49d5837cbb9ac20c
parent: 673050b083b6494f69b99e1a7fe483ffc3e7df3e (diff)
download: constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.zip
constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.tar.gz
constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/README.md b/README.md
index cb6f1f9..5ffbcf0 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,12 @@
 
 [![Build Status](https://travis-ci.org/paragonie/constant_time_encoding.svg?branch=master)](https://travis-ci.org/paragonie/constant_time_encoding)
 
+### Security Warning: Due to how PHP implements `chr()` (and there is no way to work around it), this cannot achieve true cache-timing safety. 
+
+However, if you implement the algorithms in C as part of php-src, you can.
+
+---
+
 Based on the work of [Steve "Sc00bz" Thomas](https://github.com/Sc00bz/ConstTimeEncoding), this library aims to offer
 character encoding functions that do not leak information about what you are encoding/decoding via processor cache 
 misses. Further reading on [cache-timing attacks](http://blog.ircmaxell.com/2014/11/its-all-about-time.html).
author	Scott <scott@paragonie.com>	2016-03-11 19:45:17 -0500
committer	Scott <scott@paragonie.com>	2016-03-11 19:45:17 -0500
commit	7f41537e157570b456ab842430b750a943d65acb (patch)
tree	bf7997860df2f4f3d0f2ed1a49d5837cbb9ac20c
parent	673050b083b6494f69b99e1a7fe483ffc3e7df3e (diff)
download	constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.zip constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.tar.gz constant_time_encoding-7f41537e157570b456ab842430b750a943d65acb.tar.bz2