|
|
|
|
|
|
by cobbal
300 days ago
|
|
|
It's a common mistake to apply probabilistic assumptions to attacker input. The only [citation needed] correct way to use probability in security is when you get randomness from a CSPRNG. Then you can assume you have input conforming to a probability distribution. If your input is chosen by the person trying to break your system, you must assume it's a worst-case input and secure accordingly. |
|
|