Antoine Pitrou added the comment: I would like to know what is the expected scenario: - does the attacker only control the certificate? - or does the attacker control both the certificate and the hostname being validated?
The reason is that the matching cost for a domain name fragment seems to be O(n**k), where n is the fragment length and k is the number of wildcards. Therefore, if the attacker controls both n and k, even limiting k to 2 already allows a quadratic complexity attack. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17980> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
