[Python-Dev] Counting collisions for the win

Matthew Woodcraft matthew at woodcraft.me.uk
Sat Jan 21 16:50:59 CET 2012


Victor Stinner  <victor.stinner at haypocalc.com> wrote:
> I propose to solve the hash collision vulnerability by counting
> collisions [...]

> We now know all issues of the randomized hash solution, and I
> think that there are more drawbacks than advantages. IMO the
> randomized hash is overkill to fix the hash collision issue.


For web frameworks, forcing an exception is less harmful than forcing a
many-second delay, but I think it's hard to be confident that there
aren't other vulnerable applications where it's the other way round.


Web frameworks like the exception because they already have backstop
exception handlers, and anyway they use short-lived processes and keep
valuable data in databases rather than process memory.

Web frameworks don't like the delay because they allow unauthenticated
users to submit many requests (including multiple requests in parallel),
and they normally expect each response to take little cpu time.


But many programs are not like this.

What about a log analyser or a mailing list archiver or a web crawler or
a game server or some other kind of program we haven't considered?

-M-



More information about the Python-Dev mailing list