[Python-Dev] hash randomization in 3.3 (original) (raw)
Stephen J. Turnbull stephen at xemacs.org
Thu Feb 23 08:12:39 CET 2012
- Previous message: [Python-Dev] hash randomization in 3.3
- Next message: [Python-Dev] hash randomization in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Antoine Pitrou writes:
How is it a "false sense of security" at all? It's the same as setting a private secret for e.g. session cookies in Web applications. As long as you don't leak the seed, it's (should be) secure.
That's true. The problem is, the precondition that you won't leak the seed is all too often false. If a user takes advantage of the ability to set the seed, she can leak it, or a coworker (or a virus) can steal it from her source or keystroke logging, etc.
And it's not the same, at least not for a highly secure application. In high-quality security, session keys are generated for each session (and changed frequently); the user doesn't know them (of course, he can always find out if he really wants to know, and sometimes that's necessary -- Hello, Debian OpenSSH maintainer!), and so can't leak them.
- Previous message: [Python-Dev] hash randomization in 3.3
- Next message: [Python-Dev] hash randomization in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]