On Thu, Sep 29, 2011 at 8:00 PM, Dmitry Chestnykh
<dmi...@codingrobots.com>wrote:
> The more eyes the better, as it touches login code.
> ...COMPARE("AAAAAAAAA", "PASSWORD") returns FALSE in 0.1 msec, but
> COMPARE("PAAAAAAAA", "PASSWORD") returns FALSE in 0.3 msec, because it did
> two comparisons:
>
Given the relatively high overhead fossil has when it opens a db or runs a
query, and network latency, i cannot imagine that someone could accurately
time the difference of a memcmp() operation on 8 or 10 bytes. The number of
factors involved before and after COMPARE is called are just too great. As
was written in the post about sha1 collisions someone linked to earlier: the
chances are higher that all of the members of your dev team will be killed
by wolves in separate incidences on the same night.
If ALL fossil did was accept a request and run a memcmp on one GET
parameter, i might believe it, but given the huge number of variables,
especially network latency, CGI startup time, and db open/query time, the
only way i'll believe that these steps are necessary is if someone actually
breaks a password this way.
All that said - i wouldn't object to this being added (as if my vote
matters! ;), i just think it's overly paranoid.
--
----- stephan beal
http://wanderinghorse.net/home/stephan/
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
