[issue15061] hmac.secure_compare() leaks information about length of strings
Martin v. Löwis
report at bugs.python.org
Fri Jun 15 08:31:59 CEST 2012
Martin v. Löwis <martin at v.loewis.de> added the comment:
On 14.06.2012 14:26, Antoine Pitrou wrote:
>
> Antoine Pitrou <pitrou at free.fr> added the comment:
>
>> It's either secure or it's not.
>
> I don't think that's true. By that reasoning, Python is not secure so
> there's no point in fixing crashes or providing a hashlib module.
The proper statement is "It's either time-independent or it's not".
This *is* a binary state (I agree that being secure is not a binary
state).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
More information about the Python-bugs-list
mailing list