[Python-Dev] Make str/bytes hash algorithm pluggable?
Larry Hastings
larry at hastings.org
Sat Oct 5 00:51:02 CEST 2013
On 10/04/2013 11:15 AM, Victor Stinner wrote:
> 2013/10/4 Armin Rigo <arigo at tunes.org>:
>> The current hash randomization is
>> simply not preventing anything; someone posted long ago a way to
>> recover bit-by-bit the hash randomized used by a remote web program in
>> Python running on a server.
> Oh interesting, is it public?
http://events.ccc.de/congress/2012/Fahrplan/events/5152.en.html
Quoting the synopsis:
We also describe a vulnerability of Python's new randomized hash,
allowing an attacker to easily recover the 128-bit secret seed.
I found all that while reading this interesting, yet moribund, bug report:
http://bugs.python.org/issue14621
I guess there was enough bike shedding that people ran out of steam, or
something. It happens.
//arry/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131005/fb0c10e9/attachment.html>
More information about the Python-Dev
mailing list