On 25 Feb 2014 23:23, "Donald Stufft" <don...@stufft.io> wrote: > > > On Feb 25, 2014, at 8:17 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > > > On Tue, 25 Feb 2014 08:08:09 -0500 > > Donald Stufft <don...@stufft.io> wrote: > >> > >> Hash randomization is broken and doesn't fix anything. > > > > Not sure what you mean with "doesn't fix anything". Hash collisions were > > easy to exploit pre-hash randomization, they doesn't seem as easy to > > exploit with it. > > Instead of pre-generating one set of values that can be be used to DoS things > you have to pre-generate 256 sets of values and try them until you get the > right one. It's like putting on armor made of paper and saying it's harder to > stab you now.
This isn't quite correct - the hash randomisation can at least be combined with aggressive process recycling to present a moving target that is harder to attack. Without any hash randomisation at all, process recycling can't help in the slightest. SIPHash is still the real fix, although the reality remains that an attacker that really wants to bring a site down is likely to achieve their aims, regardless of whether or not there's a specific DoS vulnerability in the application server. Cheers, Nick. > > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
