At 9:19 AM -0400 7/8/03, Barry Warsaw wrote:
The data we use:
- the str() of the output of random.random()
- the str() of the server's current time
- the str() of the "content"
and we concatenate these three strings together before hashing them.
I'm not sitting in front of the source code for Mailman right now (and I don't read Python), so this brings up a few questions.
Can random.random() run out of randomness? That is, if you bombard the machine with requests that call random.random(), will it start sending out predictable responses?
What is the granularity of the server's current time? If it is "seconds", this is becomes easily predictable to an attacker. Even if it is "hundredths of seconds", that only means that the attacker has to send one or two hundred attempts for each confirmation. Unless Mailman notes "failed attempt to confirm a subscription", this could be lost in the noise.
How many bits of the hash are used? I ask because many programs that use hashes will not use the whole hash.
The answer to the above three (particularly the first) determines whether or not an attacker can sensibly forge confirmations. (Of course, watching the outgoing mail would make this attack easier too. :-) )
--Paul Hoffman, Director --Internet Mail Consortium