On Sat, 28 Jan 2012 01:53:40 +0100 mar...@v.loewis.de wrote: > > > How so? None of the patches did, but I think it was said several times > > that other types (int, tuple, float) could also be converted to use > > randomized hashes. What's more, there isn't any technical difficulty in > > doing so. > > The challenge again is about incompatibility: the more types you apply this > to, the higher the risk of breaking third-party code. > > Plus you still risk that the hash seed might leak out of the application, > opening it up again to the original attack.
Attacks on the hash seed are a different level of difficulty than sending a well-known universal payload to a Web site. Unless the application leaks hash() values directly, you have to guess them from the dict ordering observed in the application's output. IMHO it's ok if our hash function is vulnerable to cryptanalysts rather than script kiddies. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
