--
On 2010-07-17 4:02 AM, Phillip Hallam-Baker wrote:
> A much easier fix to implement and one that would have
> general applicability against timing attacks would be to
> insert a delay before returning an error condition. This
> has the additional benefit of slowing down the attacker.
>
> I record the time I receive a packet as a matter of course.
> It would not be difficult to write some code that ensures
> that the time take to return an error is quantized at a
> pretty coarse level (10ms or so).And does not slow down the normal case, unlike the possibly hopeless attempt to eliminate timing variations that might leak information. _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
