From: Dario Teixeira <darioteixeira@yahoo.com>
To: OCaml mailing list <caml-list@inria.fr>
Subject: Re: [Caml-list] Re: [oss-security] CVE request: Hash DoS vulnerability (ocert-2011-003)
Date: Tue, 13 Mar 2012 11:08:44 -0700 (PDT) [thread overview]
Message-ID: <1331662124.86804.YahooMailNeo@web111509.mail.gq1.yahoo.com> (raw)
In-Reply-To: <4ec32a156daa6211ca4d465c9a7b8745.squirrel@gps.dynxs.de>
Hi,
> Basically I like the idea of "teaching" users this way. The typical user
> will understand the impact, and act accordingly. Nevertheless, I would
> like it if it would be made as easy as possible to provide good seeds if
> required. The Random module is definitely not good enough (e.g. if you
> know when the program was started like for a cgi, and the cgi reveals
> information it should better not like the pid, the Random seed is made
> from less than 10 unpredictable bits, and on some systems even 0 bits).
>
> The ideal would be to guide the user to the decision whether protection is
> necessary, and if the answer is yes, to give the instructions how to do it
> (and provide all means for it, of course).
I think the problem may be in finding a good source of randomness that is
common across all OSes. In Unixland this problem has largely been solved:
pretty much everyone supports /dev/random and /dev/urandom. Windows
does things differently, however.
Cheers,
Dario Teixeira
next prev parent reply other threads:[~2012-03-13 18:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4F3078F1.8070105@redhat.com>
2012-02-07 1:10 ` Kurt Seifried
2012-02-07 8:34 ` Richard W.M. Jones
2012-03-10 7:31 ` Richard W.M. Jones
2012-03-10 12:31 ` Gerd Stolpmann
2012-03-12 18:03 ` Xavier Leroy
2012-03-13 9:54 ` Romain Bardou
2012-03-13 11:58 ` Paolo Donadeo
2012-03-13 12:31 ` Philippe Veber
2012-03-13 13:23 ` Gerd Stolpmann
2012-03-13 15:39 ` Romain Bardou
2012-03-13 18:27 ` David Allsopp
2012-03-13 18:58 ` Alain Frisch
2012-03-13 18:08 ` Dario Teixeira [this message]
2012-03-13 18:28 ` David Allsopp
2012-03-14 9:23 ` Xavier Leroy
2012-03-13 16:52 ` Richard W.M. Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1331662124.86804.YahooMailNeo@web111509.mail.gq1.yahoo.com \
--to=darioteixeira@yahoo.com \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).