-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Schleifer schrieb: > Florian Zeitz <[EMAIL PROTECTED]> wrote: > >> If Jonathan has any other attacks in mind or found a way to apply this >> technique to XMPP I'd really like to hear about it. > > I'm not saying I found an attack, but currently, an attacker would know > how long the message is _AND_ how long it has been typed. I could > imagine that this may make an attack easier. >
I personally doubt this. While you learn the length of the message, the how long it has been typed is difficult to figure out: http://www.cs.virginia.edu/~evans/cs588-fall2001/projects/reports/team4.pdf cites difficulties due to network latency. In the case of typing notifications there is additionally a delay until a "not typing any longer" event is sent or a unknown pause before someone presses enter (s/he might reread his message, might just press Enter immediately, might press Enter by accident in the middle of a message, etc.). And as stated before you can also delete characters while "typing". All this factors make getting a valid value for how long the message has been typed near impossible in real life IMHO. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFImERH0JXcdjR+9YQRAs34AJ9j4foq+0+qLukiBgC8LqwqpteangCfR9Ux H767FVzsNR1zUE/rFAcVqHk= =ZEYE -----END PGP SIGNATURE-----
