On Tue, Feb 19, 2019 at 3:11 PM Alexei Podtelezhnikov <apodt...@gmail.com> wrote: > > > an unprivileged attacker could potentially utilize flush+reload cache > > side-channel attack to measure the execution time of said subroutine to > > infer user input. > > Isn't it why my passwords show up as ●●●●●●●●● in sensible applications? > The random fuss should also be added there in those application. I > really do not see why we should be concerned.
I agree. And most passwords are in the ASCII range, which is very likely already loaded (Xserver core protocol fonts or Xrender fonts) in one piece, and most rendering engines load glyphs in complete Unicode blocks. Beyond that the same argumentation could be used *everywhere*, e.g. ssh protocol with compression enabled+sufficient fine-grained clock ticks+passwort prompt of a remote application. At some point trying to "optimise" for this makes no sense unless you redesign the operating system to prevent such things. FreeType is clearly the wrong place, unless we go after ALL the shared libraries which have functions with variable processing time based on user input. Oh, and can we please involve libncurses ([1]) ... =:-) [1]=Cursing&&swearing allowed... :-) ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.ma...@nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 3992797 (;O/ \/ \O;) _______________________________________________ Freetype-devel mailing list Freetype-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-devel