Message 162875 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ncoghlan
Recipients	arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, petri.lehtinen, pitrou
Date	2012-06-15.08:42:18
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1339749739.21.0.659010422263.issue15061@psf.upfronthosting.co.za>
In-reply-to

Content
FWIW, Petri's example also explains why leaking the expected length of the string is considered an acceptable optimisation in most reimplementations of this signature check comparison: the attacker is assumed to already know the expected length of the signature, because it's part of a documented protocol or API. However, I think it's more reasonable for a standard library implementation to omit that optimisation by default.

FWIW, Petri's example also explains why leaking the expected length of the string is considered an acceptable optimisation in most reimplementations of this signature check comparison: the attacker is assumed to already know the expected length of the signature, because it's part of a documented protocol or API.

However, I think it's more reasonable for a standard library implementation to omit that optimisation by default.

History
Date	User	Action	Args
2012-06-15 08:42:19	ncoghlan	set	recipients: + ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, petri.lehtinen, hynek
2012-06-15 08:42:19	ncoghlan	set	messageid: <1339749739.21.0.659010422263.issue15061@psf.upfronthosting.co.za>
2012-06-15 08:42:18	ncoghlan	link	issue15061 messages
2012-06-15 08:42:18	ncoghlan	create