[Python-Dev] Counting collisions for the win

Frank Sievertsen pydev at sievertsen.de
Fri Jan 20 23:35:42 CET 2012

Am 20.01.2012 16:33, schrieb Guido van Rossum:
> (I'm thinking that the original attack is trivial once the set of 
> 65000 colliding keys is public knowledge, which must be only a matter 
> of time.

I think it's very likely that this will happen soon.

For ASP and PHP there is attack-payload publicly available.
PHP and ASP have patches to limit the number of query-variables.

We're very lucky that there's no public payload for python yet,
and all non-public software and payload I'm aware of is based
upon my software.

But this can change any moment. It's not really difficult to
write software to create 32bit-collisions.


More information about the Python-Dev mailing list