[Python-Dev] Counting collisions for the win
Nick Coghlan
ncoghlan at gmail.com
Fri Jan 20 11:06:32 CET 2012
On Fri, Jan 20, 2012 at 7:34 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> The main issue with that approach is that it allows a new kind of attack.
>
> An attacker now needs to find 1000 colliding keys, and submit them
> one-by-one into a database. The limit will not trigger, as those are
> just database insertions.
>
> Now, if the applications also as a need to read the entire database
> table into a dictionary, that will suddenly break, and not for the
> attacker (which would be ok), but for the regular user of the
> application or the site administrator.
>
> So it may be that this approach actually simplifies the attack, making
> the cure worse than the disease.
Ouch, I think you're right. So hash randomisation may be the best
option, and admins will need to test for themselves to see if it
breaks things...
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list