User: Password:
Subscribe / Log in / New account

Hash collision security issue (now public)

From:  Michael Foord <>
To:  Python Dev <>
Subject:  Hash collision security issue (now public)
Date:  Thu, 29 Dec 2011 01:28:45 +0000
Message-ID:  <>
Archive-link:  Article

Hello all,

A paper (well, presentation) has been published highlighting security problems with the hashing
algorithm (exploiting collisions) in many programming languages Python included:

Although it's a security issue I'm posting it here because it is now public and seems important.

The issue they report can cause (for example) handling an http post to consume horrible amounts of
cpu. For Python the figures they quoted:

	reasonable-sized attack strings only for 32 bits Plone has max. POST size of 1 MB
	7 minutes of CPU usage for a 1 MB request
	~20 kbits/s → keep one Core Duo core busy

This was apparently reported to the security list, but hasn't been responded to beyond an
acknowledgement on November 24th (the original report didn't make it onto the security list because
it was held in a moderation queue). 

The same vulnerability was reported against various languages and web frameworks, and is already
fixed in some of them.

Their recommended fix is to randomize the hash function.

All the best,



May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing

Python-Dev mailing list

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds