ReDoS - the security threat that no-one knows about. At least that how it seems, every time I talk to developers about ReDoS and get blank looks. Or when the results of a code audit highlight a bunch of evil regular expressions. We need to talk about ReDoS. In this post, I’ll explain what ReDoS actually is, and what developers can do about it. What is ReDoS? So, what is a ReDoS attack?

This system provides 128-bit security level. Ever seen a statement like this, and wondered what it meant? When we talk about security level, we’re basically talking about the number of steps an attacker would need in order to break a cryptographic system. So taking the above statement, that means that any attack on that system would require at least 2128 steps. Let’s take an example. Imagine an encryption system that uses a 128-bit key.

Let me take you on a trip back in time. Back exactly 109 years ago today, to the 22nd of May, 1915. We’re a year in to the first world war, and we’re in Edinburgh, Scotland. 500 men board a train in the middle of the night, bound for the front line in Gallipoli. But they would never make it. This is a story about the worst rail disaster in British history.