Florian Zeitz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Jonathan Schleifer schrieb:Florian Zeitz <[EMAIL PROTECTED]> wrote:If Jonathan has any other attacks in mind or found a way to apply this technique to XMPP I'd really like to hear about it.I'm not saying I found an attack, but currently, an attacker would know how long the message is _AND_ how long it has been typed. I could imagine that this may make an attack easier.I personally doubt this. While you learn the length of the message, the how long it has been typed is difficult to figure out: http://www.cs.virginia.edu/~evans/cs588-fall2001/projects/reports/team4.pdf cites difficulties due to network latency. In the case of typing notifications there is additionally a delay until a "not typing any longer" event is sent or a unknown pause before someone presses enter (s/he might reread his message, might just press Enter immediately, might press Enter by accident in the middle of a message, etc.). And as stated before you can also delete characters while "typing". All this factors make getting a valid value for how long the message has been typed near impossible in real life IMHO.
I tend to agree. At least, I would be curious to see if anyone finds a real attack in this way.
/psa
smime.p7s
Description: S/MIME Cryptographic Signature
