[issue14532] multiprocessing module performs a time-dependent hmac comparison
Jon Oberheide
report at bugs.python.org
Tue May 1 17:40:56 CEST 2012
Jon Oberheide <jon at oberheide.org> added the comment:
> You should explain what you already said: it is not a risk because the
> length of a HMAC is fixed.
Well, that's not entirely accurate. Exposing the length of the HMAC can expose what underlying hash is being used (eg. HMAC-SHA1 has different length than HMAC-MD5). It's generally not considered a risk since exposing the algorithm being used shouldn't impact your security (unless you're doing it very wrong).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14532>
_______________________________________
More information about the Python-bugs-list
mailing list