I would note that this bug is not OAuth-specific but in principle affects other protocols that perform signature validation via HMACs.
This is a good reason not to roll out new crypto code willy-nilly. If you use a established crypto library then when people fix bugs (possibly mitigating discovered attacks against other protocols), the fix may protect your implementation as well. On Fri, Aug 14, 2009 at 11:53 AM, Pelle Braendgaard<[email protected]> wrote: > > This was posted yesterday about timing attacks when comparing digests > as most of us do in our OAuth implementations. > > http://codahale.com/a-lesson-in-timing-attacks/ > > The problem is not with the standard itself but with the > implementations. Luckily it is pretty easy to fix. > > The above post provides us with fairly easy solutions for both Java > and Python. I wrote a fix for Ruby, which I think should provide > protection for it: > > http://github.com/pelle/oauth/commit/c867394b4b14bc893cc29fbb0b1b839066843b93 > > We will probably do a ruby gem release shortly for this, but in the > meantime feel free to use the gem from my oauth repository. > > It is not afaik esploitable without a fair bit of skill, but I believe > it it is definitely exploitable. > > P > > -- > http://agree2.com - Reach Agreement! > http://extraeagle.com - Solutions for the electronic Extra Legal world > http://stakeventures.com - Bootstrapping blog > > > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
