On Thu, Sep 29, 2011 at 8:57 PM, Dmitry Chestnykh <dmi...@codingrobots.com>wrote:
> I posted a link about this concern: > http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ So why not simply add the following logic to server mode: A) fetch config option "add-random-sleep" (integer, default=0) B) if ((A)>0) AND user is nobody, sleep for random 1..(A) ms. (This attack would seem to be useless for anyone but the nobody user. If you're logged in, you've got your password, and anonymous gets a random password). That variance is far, far higher than: to filter it. They conclude that an attacker can reliably detect processing > differences as low as 200 nanoseconds on a LAN or 30 microseconds on a WAN > given only 1000 measurements. or am i missing an important detail (that can't be ruled out!)? -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
