btw, Tim's commit message on this one is amusingly relevant. :) http://hg.python.org/cpython/diff/8d2bbbbf2cb9/Objects/dictobject.c
On Fri, Jan 13, 2012 at 6:25 PM, Gregory P. Smith <g...@krypto.org> wrote: > >> Clearly these ideas are more complex than adding randomization, but >> adding randomization doesn't seem to be produce immunity from attack, when >> data about the randomness is leaked. >> > > Which will not normally happen. > > I'm firmly in the camp that believes the random seed can be probed and > determined by creatively injecting values and measuring timing of things. > But doing that is difficult and time and bandwidth intensive so the per > process random hash seed is good enough. > > There's another elephant in the room here, if you want to avoid this > attack use a 64-bit Python build as it uses 64-bit hash values that are > significantly more difficult to force a collision on. > > -gps >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
