Jacob Kaplan-Moss

3 items tagged “timingvulnerability”

📌 Timing-independent array comparison « root labs rdist

An overview of some of the techniques that *don’t* prevent or mitagate timing attacks. #

📌 A Lesson In Timing Attacks (or, Don't use MessageDigest.isEquals) | codahale.com

A very good, simple, overview of how timing attacks work. Also covers the “how realistic is an exploit” question well. (Answer: very.) #

📌 [security] Widespread Timing Vulnerabilities in OpenID implementations

Most known OpenID implementations are vulnerable to a timing attack in HMAC validation that will let remote attackers forge valid authentication tokens. Timing attacks are a bit tricky to understand, but very real. They’re also quite subtle — a bit like buffer overflows — so knowing what they look like in the wild is important. #