Message 189354 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	pitrou
Recipients	fweimer, iankko, pitrou
Date	2013年05月16日.10:56:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1368701799.41.0.969214493064.issue17980@psf.upfronthosting.co.za>

Content
I would like to know what is the expected scenario: - does the attacker only control the certificate? - or does the attacker control both the certificate and the hostname being validated? The reason is that the matching cost for a domain name fragment seems to be O(n**k), where n is the fragment length and k is the number of wildcards. Therefore, if the attacker controls both n and k, even limiting k to 2 already allows a quadratic complexity attack.

Content

I would like to know what is the expected scenario:
- does the attacker only control the certificate?
- or does the attacker control both the certificate and the hostname being validated?
The reason is that the matching cost for a domain name fragment seems to be O(n**k), where n is the fragment length and k is the number of wildcards. Therefore, if the attacker controls both n and k, even limiting k to 2 already allows a quadratic complexity attack.

History
Date	User	Action	Args
2013年05月16日 10:56:39	pitrou	set	recipients: + pitrou, iankko, fweimer
2013年05月16日 10:56:39	pitrou	set	messageid: <1368701799.41.0.969214493064.issue17980@psf.upfronthosting.co.za>
2013年05月16日 10:56:39	pitrou	link	issue17980 messages
2013年05月16日 10:56:39	pitrou	create

homepage