Simon Willison’s Weblog


Monday, 4th January 2010

Timing attack in Google Keyczar library. An issue I also need to fix in the proposed Django signing code. If you’re comparing two strings in crypto (e.g. seeing if the provided signature matches the expected signature) you need to use a timing independent string comparison function or you risk leaking information. This kind of thing is exactly why I want an audited signing module in Django rather than leaving developers to figure it out on their own. # 3:23 pm

Design and code review requested for Django string signing / signed cookies. Do you know your way around web app security and cryptography (in particular signing things using hmac and sha1)? We’d appreciate your help reviewing the usage of these concepts in Django’s proposed string signing and signed cookie implementations. # 1:24 pm

PythonInterface—OpenCV (via) OpenCV’s new Python interface looks very nice. I’d love to see some full fledged examples of using it to solve real-world computer vision problems. # 11:33 am

Self-Proclaimed Social Media Gurus on Twitter Multiplying Like Rabbits (via) 15,740 of them, including 2,091 social media consultants, 807 social media experts, 445 social media gurus and 68 social media stars. # 1:49 am

2010 » January