Great Circle Associates List-Managers
(July 2003)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: [Mailman-Developers] Possible yahoogroups problem.
From: Paul Hoffman / IMC <phoffman @ imc . org>
Date: Thu, 10 Jul 2003 21:35:10 +0200
To: barry @ python . org, list-managers @ greatcircle . com
Cc: mailman-developers @ python . org
In-reply-to: <1057670346.1546.58.camel@anthem>
References: <FA971FF0-B107-11D7-B4AD-0003934516A8@plaidworks.com><1057670346.1546.58.camel@anthem>

At 9:19 AM -0400 7/8/03, Barry Warsaw wrote:
>The data we use:
>
>- the str() of the output of random.random()
>- the str() of the server's current time
>- the str() of the "content"
>
>and we concatenate these three strings together before hashing them.

I'm not sitting in front of the source code for Mailman right now 
(and I don't read Python), so this brings up a few questions.

- Can random.random() run out of randomness? That is, if you bombard 
the machine with requests that call random.random(), will it start 
sending out predictable responses?

- What is the granularity of the server's current time? If it is 
"seconds", this is becomes easily predictable to an attacker. Even if 
it is "hundredths of seconds", that only means that the attacker has 
to send one or two hundred attempts for each confirmation. Unless 
Mailman notes "failed attempt to confirm a subscription", this could 
be lost in the noise.

- How many bits of the hash are used? I ask because many programs 
that use hashes will not use the whole hash.

The answer to the above three (particularly the first) determines 
whether or not an attacker can sensibly forge confirmations. (Of 
course, watching the outgoing mail would make this attack easier too. 
:-) )

--Paul Hoffman, Director
--Internet Mail Consortium


Follow-Ups:
References:
Indexed By Date Previous: Re: [Mailman-Developers] Possible yahoogroups problem.
From: Jim Trigg <blaise@scadian.net>
Next: Re: [Mailman-Developers] Possible yahoogroups problem.
From: Chuq Von Rospach <chuqui@plaidworks.com>
Indexed By Thread Previous: Re: [Mailman-Developers] Possible yahoogroups problem.
From: Jim Trigg <blaise@scadian.net>
Next: Re: [Mailman-Developers] Possible yahoogroups problem.
From: Chuq Von Rospach <chuqui@plaidworks.com>

Google
 
Search Internet Search www.greatcircle.com