At 9:19 AM -0400 7/8/03, Barry Warsaw wrote:
>The data we use:
>- the str() of the output of random.random()
>- the str() of the server's current time
>- the str() of the "content"
>and we concatenate these three strings together before hashing them.
I'm not sitting in front of the source code for Mailman right now
(and I don't read Python), so this brings up a few questions.
- Can random.random() run out of randomness? That is, if you bombard
the machine with requests that call random.random(), will it start
sending out predictable responses?
- What is the granularity of the server's current time? If it is
"seconds", this is becomes easily predictable to an attacker. Even if
it is "hundredths of seconds", that only means that the attacker has
to send one or two hundred attempts for each confirmation. Unless
Mailman notes "failed attempt to confirm a subscription", this could
be lost in the noise.
- How many bits of the hash are used? I ask because many programs
that use hashes will not use the whole hash.
The answer to the above three (particularly the first) determines
whether or not an attacker can sensibly forge confirmations. (Of
course, watching the outgoing mail would make this attack easier too.
--Paul Hoffman, Director
--Internet Mail Consortium