[Python-Dev] Counting collisions for the win

Guido van Rossum guido at python.org
Fri Jan 20 18:50:25 CET 2012


On Fri, Jan 20, 2012 at 1:57 AM, Frank Sievertsen <pydev at sievertsen.de>wrote:

>  The main issue with that approach is that it allows a new kind of attack.
>
>
> Indeed, I posted another example: http://bugs.python.org/msg151677
>
> This kind of fix can be used in a specific application or maybe in a
> special-purpose framework, but not on the level of a general-purpose
> language.
>

Right. We are discussion this issue (for weeks now...) because it makes
pretty much any Python app that takes untrusted data vulnerable, especially
web apps, and after extensive analysis we came to the conclusion that
defenses in the framework or in the app are really hard to do, very
disruptive for developers, whereas preventing the attack by a modification
of the dict or hash algorithms would fix it for everybody. And moreover,
the attack would work against pretty much any Python web app using a set of
evil strings computed once (hence encouraging script kiddies of just firing
their fully-automatic weapon at random websites).

The new attacks that are now being considered require analysis of how the
website is implemented, how it uses and stores data, etc. So an attacker
has to sit down and come up with an attack tailored to a specific website.
That can be dealt with on an ad-hoc basis.

-- 
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120120/94dbd432/attachment.html>


More information about the Python-Dev mailing list