One recommendation is to randomize the "secret" per request (the attack works by guessing the secret one character at a time). web2py already randomizes its CSRF tokens on every request (which I take it Django does not do), so not sure web2py has the same vulnerability with regard to the CSRF token (there may be vulnerabilities with other kinds of secret data, though).
Anthony On Tuesday, August 6, 2013 1:55:29 PM UTC-4, Massimo Di Pierro wrote: > > As I understand this has nothing to do with Django. They discovered a ssh > vulnerability that can used to decrypt part of traffic. It will affect all > of us if un patched. > > On Tuesday, 6 August 2013 10:55:06 UTC-5, Chun-Hung Chen wrote: >> >> Hi, >> >> FYI >> https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
