On Sat, 28 Jan 2012 01:53:40 +0100 martin at v.loewis.de wrote: > > > How so? None of the patches did, but I think it was said several times > > that other types (int, tuple, float) could also be converted to use > > randomized hashes. What's more, there isn't any technical difficulty in > > doing so. > > The challenge again is about incompatibility: the more types you apply this > to, the higher the risk of breaking third-party code. > > Plus you still risk that the hash seed might leak out of the application, > opening it up again to the original attack. Attacks on the hash seed are a different level of difficulty than sending a well-known universal payload to a Web site. Unless the application leaks hash() values directly, you have to guess them from the dict ordering observed in the application's output. IMHO it's ok if our hash function is vulnerable to cryptanalysts rather than script kiddies. Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4