<p dir="ltr"><br>
On 25 Feb 2014 23:23, "Donald Stufft" <<a href="mailto:donald@stufft.io">donald@stufft.io</a>> wrote:<br>
><br>
><br>
> On Feb 25, 2014, at 8:17 AM, Antoine Pitrou <<a href="mailto:solipsis@pitrou.net">solipsis@pitrou.net</a>> wrote:<br>
><br>
> > On Tue, 25 Feb 2014 08:08:09 -0500<br>
> > Donald Stufft <<a href="mailto:donald@stufft.io">donald@stufft.io</a>> wrote:<br>
> >><br>
> >> Hash randomization is broken and doesn’t fix anything.<br>
> ><br>
> > Not sure what you mean with "doesn't fix anything". Hash collisions were<br>
> > easy to exploit pre-hash randomization, they doesn't seem as easy to<br>
> > exploit with it.<br>
><br>
> Instead of pre-generating one set of values that can be be used to DoS things<br>
> you have to pre-generate 256 sets of values and try them until you get the<br>
> right one. It’s like putting on armor made of paper and saying it’s harder to<br>
> stab you now.</p>
<p dir="ltr">This isn't quite correct - the hash randomisation can at least be combined with aggressive process recycling to present a moving target that is harder to attack. Without any hash randomisation at all, process recycling can't help in the slightest.</p>
<p dir="ltr">SIPHash is still the real fix, although the reality remains that an attacker that really wants to bring a site down is likely to achieve their aims, regardless of whether or not there's a specific DoS vulnerability in the application server.</p>
<p dir="ltr">Cheers,<br>
Nick.</p>
<p dir="ltr">><br>
><br>
> -----------------<br>
> Donald Stufft<br>
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA<br>
><br>
><br>
> _______________________________________________<br>
> Python-Dev mailing list<br>
> <a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/python-dev">https://mail.python.org/mailman/listinfo/python-dev</a><br>
> Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com">https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com</a><br>
><br>
</p>