[Python-Dev] Counting collisions for the win (original) (raw)
Victor Stinner victor.stinner at haypocalc.com
Fri Jan 20 13:50:18 CET 2012
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The main issue with that approach is that it allows a new kind of attack.
An attacker now needs to find 1000 colliding keys, and submit them one-by-one into a database. The limit will not trigger, as those are just database insertions. Now, if the applications also as a need to read the entire database table into a dictionary, that will suddenly break, and not for the attacker (which would be ok), but for the regular user of the application or the site administrator.
Oh, good catch. But it would not call it a new kind of attack, it is just a particular case of the hash collision vulnerability.
Counting collision doesn't solve this case, but it doesn't make the situation worse than before. Raising quickly an exception is better than stalling for minutes, even if I agree than it is not the best behaviour. The best would is to answer quickly with the expected result :-) (using a different data structure or a different hash function?)
Right now, I don't see any counter measure against this case.
Victor
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]