[Python-Dev] Counting collisions for the win

Nick Coghlan ncoghlan at gmail.com
Fri Jan 20 11:06:32 CET 2012

On Fri, Jan 20, 2012 at 7:34 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> The main issue with that approach is that it allows a new kind of attack.
> An attacker now needs to find 1000 colliding keys, and submit them
> one-by-one into a database. The limit will not trigger, as those are
> just database insertions.
> Now, if the applications also as a need to read the entire database
> table into a dictionary, that will suddenly break, and not for the
> attacker (which would be ok), but for the regular user of the
> application or the site administrator.
> So it may be that this approach actually simplifies the attack, making
> the cure worse than the disease.

Ouch, I think you're right. So hash randomisation may be the best
option, and admins will need to test for themselves to see if it
breaks things...


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list