This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients fweimer, iankko, pitrou
Date 2013-05-16.10:56:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I would like to know what is the expected scenario:
- does the attacker only control the certificate?
- or does the attacker control both the certificate and the hostname being validated?

The reason is that the matching cost for a domain name fragment seems to be O(n**k), where n is the fragment length and k is the number of wildcards. Therefore, if the attacker controls both n and k, even limiting k to 2 already allows a quadratic complexity attack.
Date User Action Args
2013-05-16 10:56:39pitrousetrecipients: + pitrou, iankko, fweimer
2013-05-16 10:56:39pitrousetmessageid: <>
2013-05-16 10:56:39pitroulinkissue17980 messages
2013-05-16 10:56:39pitroucreate