On 10/05/2013 01:14 AM, Victor Stinner wrote:
And how do you retrieve the whole hash value from an HTTP page? You
may retrieve some bits using specific HTTP requests, but not directly
the whole hash value. I don't know any web page displaying directly
the hash value of a string coming from the user request!?
Armin Rigo handwaves his way through an approach here:
http://bugs.python.org/issue14621#msg173455
You use a "timing attack" to get the algorithm to "leak" a bit at a
time. I have no idea how that actually works, I don't have a background
in security, nor a sufficiently devious mindset to work it out for myself.
//arry/
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
