On Feb 21, 2012, at 09:58 PM, Xavier Morel wrote: >On 2012-02-21, at 21:24 , Brett Cannon wrote: >> On Tue, Feb 21, 2012 at 15:05, Barry Warsaw <barry at python.org> wrote: >> >>> On Feb 21, 2012, at 02:58 PM, Benjamin Peterson wrote: >>> >>>> 2012/2/21 Antoine Pitrou <solipsis at pitrou.net>: >>>>> >>>>> Hello, >>>>> >>>>> Shouldn't it be enabled by default in 3.3? >>> >>> Yes. >>> >>>> Should you be able to disable it? >>> >>> No, but you should be able to provide a seed. >> >> I think that's inviting trouble if you can provide the seed. It leads to a >> false sense of security in that providing some seed secures them instead of >> just making it a tad harder for the attack. > >I might have misunderstood something, but wouldn't providing a seed always >make it *easier* for the attacker, compared to a randomized hash? I don't think so. You'd have to somehow coerce the sys.hash_seed out of the process. Not impossible perhaps, but unlikely unless the application isn't written well and leaks that information (which is not Python's fault). Plus, with randomization enabled, that won't help you much past the current invocation of Python. -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: <http://mail.python.org/pipermail/python-dev/attachments/20120221/58d5884c/attachment.pgp>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4