Yea... in reality I'd bet my paycheck that the answer is no. Despite Coda's blog post, you can't use the jitter in HTTP requests to gain any insight into where a string match fails.
Even if you could do so with hundreds of requests, it's fairly obvious that an attack is taking place when you get that many bad requests for one account. Mike On Wed, Dec 8, 2010 at 12:10 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > > > On Wed, Dec 8, 2010 at 3:08 PM, Jonas H. <jo...@lophus.org> wrote: > >> Hello out there, >> >> what is the point of `django.utils.crypto.constant_time_compare`? I >> understand it takes O(n) time no matter what input it is feeded with, but of >> what avail is it? >> >> Can the time spent in *one single string comparison* really make such a >> huge difference? >> >> Confused, >> Jonas >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-develop...@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com<django-developers%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> > In theory, yes. These are a class of attacks known as timing attacks: > http://en.wikipedia.org/wiki/Timing_attack. That said I don't know of any > actual real world attacks using these, but better safe than sorry. > > Alex > > -- > "I disapprove of what you say, but I will defend to the death your right to > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > "Code can always be simpler than you think, but never as simple as you > want" -- Me > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com<django-developers%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
