Volker Braun wrote:
Neat, but the flask openid shouldn't and doesn't implement SSL using
pycrytpo. Looking at the source, what triggers the warning is
from Crypto.Util.number import long_to_bytes, bytes_to_long
which is used by flask-openid to serialize data to disk.
Still, should we somehow silence the warning (probably by patching our
pycrypto package further)?
The easiest solution is of course to simply report this upstream... ;-)
(MPIR 2.7.0.alpha4 still lacks mpz_powm_sec().)
-leif
On Sunday, June 8, 2014 11:21:20 AM UTC+1, Martin Albrecht wrote:
On Saturday 07 Jun 2014 13:34:18 Volker Braun wrote:
> Afaik its only used in the openid module. And exploiting a timing
attack
> over network is most likely not possible.
they are practical at least over LAN:
https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
<https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf>
> On Saturday, June 7, 2014 8:40:54 PM UTC+1, em2slyn wrote:
> > Hi All:
> >
> > I am hosting a Sage server for our department and ever since
upgrading to
> > 6.X the following message displays every time Sage is launched.
> >
> > Executing twistd --pidfile="sage_notebook.sagenb/sagenb.pid" -ny
> > "sage_notebook.sagenb/twistedconf.tac"
> >
/home/sageserver/sage-6.2/local/lib/python2.7/site-packages/Crypto/Util/nu
> > mber.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You
should
> > rebuild using libgmp >= 5 to avoid timing attack vulnerability.
> >
> > _warn("Not using mpz_powm_sec. You should rebuild using
libgmp >= 5 to
> >
> > avoid timing attack vulnerability.", PowmInsecureWarning)
> > .
> > .
> > .
> >
> > I've been tracking this down and noticed there are a number of
posts on
> > the web related to this warning although not specifically
addressing Sage.
> > Unfortunately, some sites have provided various workarounds but
I cannot
> > seem to find a resolution.
> >
> > I am currently hosting Sage 6.2 on Ubuntu Server 12.04 and
tried an
> > experimental build using Ubuntu 14.04. Initially, I installed
GMP 6.0.0a
> > from gmplib.org <http://gmplib.org> and rebuilding Python using
the command *sage -f python*
> > along with *SAGE_UPDATING=yes make*. The warning persisted.
Then I did a
> > complete build from source adding libgmp-dev to the standard
pool of
> > prerequisite packages. Still no luck.
> >
> > First of all, is this a problem with Sage or the OS I've
selected to use?
> > Is there a package that is missing that should be included in
the build?
> > Any input would be welcome. Thank you!
> >
> > Have a GREAT DAY!!
> >
> > Shaun
--
You received this message because you are subscribed to the Google
Groups "sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to sage-support+unsubscr...@googlegroups.com
<mailto:sage-support+unsubscr...@googlegroups.com>.
To post to this group, send email to sage-support@googlegroups.com
<mailto:sage-support@googlegroups.com>.
Visit this group at http://groups.google.com/group/sage-support.
For more options, visit https://groups.google.com/d/optout.
--
() The ASCII Ribbon Campaign
/\ Help Cure HTML E-Mail
--
You received this message because you are subscribed to the Google Groups
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-support+unsubscr...@googlegroups.com.
To post to this group, send email to sage-support@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-support.
For more options, visit https://groups.google.com/d/optout.
