[issue14621] Hash function is not randomized properly

Marc-Andre Lemburg report at bugs.python.org
Mon Oct 22 08:48:48 CEST 2012 

Marc-Andre Lemburg added the comment:

On 21.10.2012 23:42, STINNER Victor wrote:
> 
> STINNER Victor added the comment:
> 
>> It's interesting to note how this whole -R discussion made very long
> threads on python-dev, and python-dev has subsequently ignored (for the
> past 6 months!) the fact that their "fix" can be worked around in a matter
> of minutes.
> 
> No, this issue has no been ignored. Nobody proposed anything to fix this
> issue, but we are still working on it (sometimes in private).
> 
> In my opinion, we cannot solve this issue without slowing down python. Or I
> don't know yet.a.fast and secure hash algorithm. I don't really want to
> slow down Python for one specific issue whereas there are so many other
> ways to DoS a (web) server.

Well, I did propose a different approach to the whole problem to
count collisions. That would have avoided the usability issues you
have with the randomization approach, made it possible for the
application to detect the attack and not have introduced any significant
runtime overhead for applications not being attacked.

The proposal was shot down with the argument that it wouldn't
fix the problem.

It should also be noted that the randomization only applies to
strings/bytes, dictionaries with other colliding keys are not protected
at all.

Perhaps it's time to revisit the collision counting idea ?

It would work in much the same way as the stack recursion limit
we have in Python.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Oct 22 2012)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2012-09-27: Released eGenix PyRun 1.1.0 ...       http://egenix.com/go35
2012-09-26: Released mxODBC.Connect 2.0.1 ...     http://egenix.com/go34
2012-09-25: Released mxODBC 3.2.1 ...             http://egenix.com/go33
2012-10-23: Python Meeting Duesseldorf ...                      tomorrow

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

----------
nosy: +lemburg

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14621>
_______________________________________

More information about the Python-bugs-list mailing list