[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Steven D'Aprano steve at pearwood.info
Fri Jun 22 21:45:47 EDT 2018

On Sat, Jun 23, 2018 at 01:33:59PM +1200, Greg Ewing wrote:
> Chris Angelico wrote:
> >Downside:
> >You can't say "I'm done with this string, destroy it immediately".
> Also it would be hard to be sure there wasn't another
> copy of the data somewhere from a time before you
> got around to marking the string as sensitive, e.g.
> in a file buffer.

Don't let the perfect be the enemy of the good. We know there's at least 
one place that a string could leak private information. Just because 
there could hypothetically be other such places, doesn't make it useless 
to wipe that known potential leak.

Attackers are not always omniscient. Even if an application leaks 
private data in ten places, some attacker may only know of, or be 
capable of, attacking *one* leak. If we can, we ought to plug it, and 
leave those hypothetical other leaks for another day.

(Burglars can lift the tiles off my roof, climb into the ceiling, and 
hence down into my house. Nevertheless I still lock my front door.)


More information about the Python-ideas mailing list