On Thursday, 14 August 2014 at 13:10:58 UTC, bearophile wrote:
Marc Schütz:
Isn't SuperFastHash vulnerable to collision attacks?
D AAs used to be not vulnerable to collision attacks because
they resolved collisions building a red-black tree for each
bucket. Later buckets became linked lists for speed, leading to
the current sensitivity to collision attacks. I think D is not
yet in the stage of its development where it starts to care a
lot about attacks.
IMO this is a _very_ dangerous stance. These kinds of attacks
became well known in 2011, when it turned out that almost all of
the commonly used languages and web frameworks were vulnerable:
http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
It would be nice if D behaved correctly before any actual attack
becomes known.
Besides, AAs are probably already exposed to outside attackers in
vibe.d (didn't check though).
Currently D programs are able to "attack themselves" just fine
:-) But as usual patches are (slowly) welcome.
