Defensive programming

[Paul Rubin]

Neil Schemenauer <nas-usenet at arctrix.com> writes:
> > The paper proposed a good solution, which is use a hash function that
> > the attacker doesn't have enough information to manipulate.
> 
> Why should everyone have to use a slower or more complicated hash
> function?  

For the same reason everyone who uses Python gets array bounds
checking whether they ask for it or not.  What makes you think that a
collision resistant function is necessarily slower?  As for "more
complicated", why should the user care whether the function is
complicated as long as the Python implementation takes care of it?

> People who really care can use a custom __hash__ or use a different
> container (like a tree).  If you are worried about DoS attacks then
> you have a lot more problems than just a deterministic hash function.

Using a tree really would be slower and more space consuming in the
normal case, and is only worth suggesting if you're proposing that
Python provide a tree object that works just like a dict object.  The
whole point of Python is to take care of stuff like dictionary
implementation so that the application programmer doesn't have to
think about it.

If a collision resistant hash really has to be slower than the regular
version, then having a runtime switch to select which version to use.
Or if Python ever gets a taint checking option like Perl's, then the
collision resistance should be enabled by default, since the keys may
be tainted data.

Anyway I haven't read the paper yet, but it sounds like there should
be very fast and simple effective countermeasures to the attack, so it
seems silly for Python not to offer them.