From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id q2DI8q18001153 for ; Tue, 13 Mar 2012 19:08:52 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqQJAOSLX09ii1tZbWdsb2JhbAA2DaQhkWwNChMTBCSCBAUBAQQBCyAVAQIVIgEDCwYFRi8BDgEGBAENBogYBQSqUAqCZ4UniTIBBgoBkFoEiFWNAoViLUyIYYNl X-IronPort-AV: E=Sophos;i="4.73,578,1325458800"; d="scan'208";a="149157752" Received: from nm19.bullet.mail.sp2.yahoo.com ([98.139.91.89]) by mail1-smtp-roc.national.inria.fr with SMTP; 13 Mar 2012 19:08:46 +0100 Received: from [98.139.91.65] by nm19.bullet.mail.sp2.yahoo.com with NNFMP; 13 Mar 2012 18:08:45 -0000 Received: from [72.30.22.37] by tm5.bullet.mail.sp2.yahoo.com with NNFMP; 13 Mar 2012 18:08:45 -0000 Received: from [127.0.0.1] by omp1067.mail.sp2.yahoo.com with NNFMP; 13 Mar 2012 18:08:45 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 499738.24720.bm@omp1067.mail.sp2.yahoo.com Received: (qmail 90549 invoked by uid 60001); 13 Mar 2012 18:08:45 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1331662125; bh=XyvEHpRB2HFcEXxCIl4ePlHFEJXtb7JWCnBjq92W6iY=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Z2yhgE21UshC9VdPb6DRJUSxdcWJp/sT84+zz1gO+8ex+5vRa/AlCiXn3ovLcRUUQ+6MA8eeIR2+hSUXRq4E2b0Jz67XTHRwqBraiHdsQWH8lQI46SCq4BWvdJ4tK2w57r8FJgugy07a84roqNAn9rnSZux6nkWy3bfsU5PrM7I= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=pqu8CtrEitLHuQCFF++7tbEo6t7U+yB2QWXOUiG6a0HgK79oAOLCLKeZvntx7URK06fMTZcXGBiktA2kBpXAcOOHWIDIfPAukaHqzygg139Dl+rULFMMgvgY/0xh40ngzcn1kkfkwHlChTvY6mu+jAt6YjQrSQDOGLuARC8VAkA=; X-YMail-OSG: km6KEhkVM1motquVJTJkvoTQT94xGvg9VLESNrcPO3nH29Q hqq8yEraiIIKCdtc3QfGVNmxRAsavGger4slJCyo8WZp9daRnAKs5JCxe1sm D80VPUfDNdJehCVseC_V1zGDVyoXSxfhQy.VLYzC9DLJdHkjPbKc4o7OvUIy ufVJaaIfqq9coZG05YzTsDhA6FF72fuG2tdO.AZVXYQIOHDzjtuytg8CL_n6 bkFxk2Yc9y19ksCz4xJrYIpLmmUly_U6Bq8cSGJUAad2y_8GkhQJkwkQv3gy t0WMk3mctkhljsEuIXzghCdO.Gy1IngnJLWDpr2.NWIc8YR0LzvBQme7ERxH gqHBoUP_Xv.pCek5OqiEpt1F9YWoX8RFIP9rgyuZkiabgy5lhxM1klsl1Qvj DPDTSYZVx9cZtM6aVfS2zM.43vuNE7lybLYn4tYdY.SgZ0_XhmmWInt90bs1 GLwrQ9B7voQ-- Received: from [195.23.39.235] by web111509.mail.gq1.yahoo.com via HTTP; Tue, 13 Mar 2012 11:08:44 PDT X-Mailer: YahooMailWebService/0.8.117.340979 References: <4F3078F1.8070105@redhat.com> <4F3079F7.4040606@redhat.com> <20120207083412.GA30350@annexia.org> <20120310073113.GA16716@annexia.org> <4F5E3A6E.4010406@inria.fr> <4F5F1968.20600@lsv.ens-cachan.fr> <4ec32a156daa6211ca4d465c9a7b8745.squirrel@gps.dynxs.de> Message-ID: <1331662124.86804.YahooMailNeo@web111509.mail.gq1.yahoo.com> Date: Tue, 13 Mar 2012 11:08:44 -0700 (PDT) From: Dario Teixeira Reply-To: Dario Teixeira To: OCaml mailing list In-Reply-To: <4ec32a156daa6211ca4d465c9a7b8745.squirrel@gps.dynxs.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by walapai.inria.fr id q2DI8q18001153 Subject: Re: [Caml-list] Re: [oss-security] CVE request: Hash DoS vulnerability (ocert-2011-003) Hi, > Basically I like the idea of "teaching" users this way. The typical user > will understand the impact, and act accordingly. Nevertheless, I would > like it if it would be made as easy as possible to provide good seeds if > required. The Random module is definitely not good enough (e.g. if you > know when the program was started like for a cgi, and the cgi reveals > information it should better not like the pid, the Random seed is made > from less than 10 unpredictable bits, and on some systems even 0 bits). > > The ideal would be to guide the user to the decision whether protection is > necessary, and if the answer is yes, to give the instructions how to do it > (and provide all means for it, of course). I think the problem may be in finding a good source of randomness that is common across all OSes.  In Unixland this problem has largely been solved: pretty much everyone supports /dev/random and /dev/urandom.  Windows does things differently, however. Cheers, Dario Teixeira