[security] Widespread Timing Vulnerabilities in OpenID implementations
James A. Donald
jamesd at echeque.com
Sat Jul 17 03:27:47 UTC 2010
--
On 2010-07-17 4:02 AM, Phillip Hallam-Baker wrote:
> A much easier fix to implement and one that would have
> general applicability against timing attacks would be to
> insert a delay before returning an error condition. This
> has the additional benefit of slowing down the attacker.
>
> I record the time I receive a packet as a matter of course.
> It would not be difficult to write some code that ensures
> that the time take to return an error is quantized at a
> pretty coarse level (10ms or so).
And does not slow down the normal case, unlike the possibly
hopeless attempt to eliminate timing variations that might
leak information.
More information about the security
mailing list