Simon Willison’s Weblog

Design and code review requested for Django string signing / signed cookies. Do you know your way around web app security and cryptography (in particular signing things using hmac and sha1)? We’d appreciate your help reviewing the usage of these concepts in Django’s proposed string signing and signed cookie implementations.

# 4th January 2010, 1:24 pm / django, python, security, hashing, sha1, hmac, cryptography, codereview

Cryptographic Right Answers. Best practise recommendations for cryptography: “While some people argue that you should never use cryptographic primitives directly and that trying to teach people cryptography just makes them more likely to shoot themselves in their proverbial feet, I come from a proud academic background and am sufficiently optimistic about humankind that I think it’s a good idea to spread some knowledge around.”

# 11th June 2009, 10:16 pm / cryptography, colinpercival, security, aes, hashing

Bloom Filter Resources. A continuation of the discussion about how to transfer information about a large number of recently updated resources around in an efficient way, Joe provides working code illustrating a simple approach using bloom filters.

# 19th October 2008, 10:22 pm / rest, joe-gregorio, bloom-filters, hashing

Hash Collisions (The Poisoned Message Attack). Demonstrates the MD5 weakness by providing two deliberately engineered PostScript documents with the same MD5 hash but radically different rendered output.

# 4th April 2008, 7:24 pm / md5, postscript, hashing, security, collisions

Consistent Hashing. Beautifully clear explanation of consistent hashing, a simple technique that allows you to add new caching servers to a cluster without re-hashing your keys and hence invalidating all of your caches.

# 18th March 2008, 1 am / caching, scaling, consistenthashing, hashing

In rainbows. Dopplr generates a unique colour for each city using an MD5 hash. The colours are then used in subtle but intelligent ways throughout the design—right down to the favicon.

# 23rd October 2007, 10:39 pm / favicon, dopplr, colour, design, md5, hashing, matt-jones, matt-biddulph

libketama (via) A consistent hashing algorithm for memcache clients, from the team at last.fm.

# 20th April 2007, 6:50 am / lastfm, hashing, memcache, les-orchard

Stopping spambots with hashes and honeypots. Ned’s analysis of how spambots work, along with some relatively simple tricks that should fool most of them.

# 23rd January 2007, 1:39 pm / spambots, commentspam, spam, hashing, ned-batchelder

Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible.

# 19th February 2005, 3:12 pm / security, cryptanalysis, sha, hashing, bruce-schneier

Schneier on Security: SHA-1 Broken. Whoa.

# 16th February 2005, 4:47 am / sha, security, hashing, bruce-schneier