[Python-Dev] Hash collision security issue (now public)
Terry Reedy
tjreedy at udel.edu
Sat Dec 31 06:02:43 CET 2011
On 12/30/2011 8:04 PM, Jim Jewett wrote:
> I'll state it more strongly. hash probably should not change (at
> least for this),
I agree, especially since the vulnerability can be avoided by using 64
bit servers and will generally abate as more switch anyway.
> but we may
> want to consider a different conflict resolution strategy when the
> first slot is already filled.
>
> Remember that there was a fair amount of thought and timing effort put
> into selecting the
> current strategy; it is deliberately sub-optimal for random input, in
> order to do better with
> typical input.<
> http://hg.python.org/cpython/file/7010fa9bd190/Objects/dictnotes.txt>
It would be good to have a set of attack strings to see how vulernerable
Py dicts actually are (Python may not have been actually tested with
data) and the affect of any change. I gave the project email of the 2
presenters in my first post. They apparently want to work with language
developers to improve defenses against attack.
--
Terry Jan Reedy
More information about the Python-Dev
mailing list