This was posted yesterday about timing attacks when comparing digests as most of us do in our OAuth implementations.
http://codahale.com/a-lesson-in-timing-attacks/ The problem is not with the standard itself but with the implementations. Luckily it is pretty easy to fix. The above post provides us with fairly easy solutions for both Java and Python. I wrote a fix for Ruby, which I think should provide protection for it: http://github.com/pelle/oauth/commit/c867394b4b14bc893cc29fbb0b1b839066843b93 We will probably do a ruby gem release shortly for this, but in the meantime feel free to use the gem from my oauth repository. It is not afaik esploitable without a fair bit of skill, but I believe it it is definitely exploitable. P -- http://agree2.com - Reach Agreement! http://extraeagle.com - Solutions for the electronic Extra Legal world http://stakeventures.com - Bootstrapping blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
