[Mailman-Developers] Possible yahoogroups problem.
Barry Warsaw
barry at python.org
Tue Jul 8 17:54:29 EDT 2003
On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote:
> One thing that could be considered to protect ourselves against such
> attacks if there was a way of reducing the complexity to reasonable
> levels, would be to drop pending subscription requests after a couple
> (think of an appropriate number) of failed cookie cracking attempts.
> That of course transforms this into a denial of service attack :-(
Oh whoops, I just realized that if you get the cookie wrong, you have no
idea which subscription request they intended to confirm. sha has 160
bits of data in it and if you're off by one, you don't get a hit and we
error out. But there's no way to match the sha hexdigest that you got
in the confirmation attempt with one in the database of pending
subscription requests.
-Barry
More information about the Mailman-Developers
mailing list