Jacob Kaplan-Moss
Activity tagged “timingvulnerability”
Bookmarks
Timing-independent array comparison « root labs rdist
An overview of some of the techniques that *don't* prevent or mitagate timing attacks.
A Lesson In Timing Attacks (or, Don't use MessageDigest.isEquals) | codahale.com
A very good, simple, overview of how timing attacks work. Also covers the “how realistic is an exploit” question well. (Answer: very.)
[security] Widespread Timing Vulnerabilities in OpenID implementations
Most known OpenID implementations are vulnerable to a timing attack in HMAC validation that will let remote attackers forge valid authentication tokens. Timing attacks are a bit tricky to understand, but very real. They're also quite subtle — a bit like buffer overflows — so knowing what they look like in the wild is important.