[Python-Dev] Counting collisions for the win (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Fri Jan 20 11:06:32 CET 2012
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jan 20, 2012 at 7:34 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
The main issue with that approach is that it allows a new kind of attack.
An attacker now needs to find 1000 colliding keys, and submit them one-by-one into a database. The limit will not trigger, as those are just database insertions. Now, if the applications also as a need to read the entire database table into a dictionary, that will suddenly break, and not for the attacker (which would be ok), but for the regular user of the application or the site administrator. So it may be that this approach actually simplifies the attack, making the cure worse than the disease.
Ouch, I think you're right. So hash randomisation may be the best option, and admins will need to test for themselves to see if it breaks things...
Regards, Nick.
-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]