Interesting read on hash weakness (Not sure if this was shared before)

I looked into this a bit a while ago and my impression was that it’s still unfixed in a lot of places.

It looked like many saw the first ccc talk on the topic (where they pointed out the importance of randomized seeds), but not the second (that even with randomized seeds most of these functions are still broken).

I reported a probably insecure hash function to QT, I think they never fixed that. I discussed this with one of the devs of expat, they shipped a fix with siphash at some point. I tried editing the wikipedia page for murmurhash to make clear this is no longer a suitable function. It got reverted.

I think there’s still potential to exploit this in a lot of places. Though given that it’s “DoS-only” I didn’t feel it’s worth putting too much energy into it.


Leave a Reply