Message 158075 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	neologix
Recipients	Jon.Oberheide, neologix, r.david.murray, sbt, vstinner
Date	2012-04-11.21:18:57
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<CAH_1eM222fEUcqmpGf5jtcF0C+CdUsD1u-BrNPGydNLmKvQGyg@mail.gmail.com>
In-reply-to	<1334158167.22.0.330276758065.issue14532@psf.upfronthosting.co.za>

Content
> Given that this issue has affected a lot of security-sensitive third-party code (keyczar, openid providers, almost every python web service that implements "secure cookies" [1] or other HMAC-based REST API signatures), I do like the idea of adding a warning in the relevant documentation as sbt proposed. This does sound reasonable, along with the addition of a comparison function immune to timing attacks to the hmac module (as noted, it's not specific to hmac, but it looks like a resonable place to add it). Would you like to submit a patch (new comparison function with documentation and test)?

> Given that this issue has affected a lot of security-sensitive third-party code (keyczar, openid providers, almost every python web service that implements "secure cookies" [1] or other HMAC-based REST API signatures), I do like the idea of adding a warning in the relevant documentation as sbt proposed.

This does sound reasonable, along with the addition of a comparison
function immune to timing attacks to the hmac module (as noted, it's
not specific to hmac, but it looks like a resonable place to add it).
Would you like to submit a patch (new comparison function with
documentation and test)?

History
Date	User	Action	Args
2012-04-11 21:18:57	neologix	set	recipients: + neologix, vstinner, r.david.murray, sbt, Jon.Oberheide
2012-04-11 21:18:57	neologix	link	issue14532 messages
2012-04-11 21:18:57	neologix	create