[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)
Steven D'Aprano
steve at pearwood.info
Fri Jun 22 21:45:47 EDT 2018
On Sat, Jun 23, 2018 at 01:33:59PM +1200, Greg Ewing wrote:
> Chris Angelico wrote:
> >Downside:
> >You can't say "I'm done with this string, destroy it immediately".
>
> Also it would be hard to be sure there wasn't another
> copy of the data somewhere from a time before you
> got around to marking the string as sensitive, e.g.
> in a file buffer.
Don't let the perfect be the enemy of the good. We know there's at least
one place that a string could leak private information. Just because
there could hypothetically be other such places, doesn't make it useless
to wipe that known potential leak.
Attackers are not always omniscient. Even if an application leaks
private data in ten places, some attacker may only know of, or be
capable of, attacking *one* leak. If we can, we ought to plug it, and
leave those hypothetical other leaks for another day.
(Burglars can lift the tiles off my roof, climb into the ceiling, and
hence down into my house. Nevertheless I still lock my front door.)
--
Steve
More information about the Python-ideas
mailing list