Movatterモバイル変換

[Python-Dev] hash randomization in 3.3

• Previous message:[Python-Dev] hash randomization in 3.3
• Next message:[Python-Dev] hash randomization in 3.3
• Messages sorted by:[ date ][ thread ][ subject ][ author ]

Antoine Pitrou writes: > How is it a "false sense of security" at all? It's the same as > setting a private secret for e.g. session cookies in Web applications. > As long as you don't leak the seed, it's (should be) secure.That's true.  The problem is, the precondition that you won't leak theseed is all too often false.  If a user takes advantage of the abilityto set the seed, she can leak it, or a coworker (or a virus) can stealit from her source or keystroke logging, etc.And it's not the same, at least not for a highly secure application.In high-quality security, session keys are generated for each session(and changed frequently); the user doesn't know them (of course, hecan always find out if he really wants to know, and sometimes that'snecessary -- Hello, Debian OpenSSH maintainer!), and so can't leakthem.

• Previous message:[Python-Dev] hash randomization in 3.3
• Next message:[Python-Dev] hash randomization in 3.3
• Messages sorted by:[ date ][ thread ][ subject ][ author ]