[security] Widespread Timing Vulnerabilities in OpenID implementations

[Nate Lawson]

Eric Norman wrote:
> If I understand the alleged attack correctly, it depends on the timing difference if a standard
> byte sequence comparison is "optimized" by exiting as soon as two bytes differ.

I suggest you read the references linked from the original post. In
particular, "Opportunities and limits of remote timing attacks" by
Crosby et al.

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.65.9811

Their result was around 20 microseconds of visibility over the WAN and
100 nanoseconds on the LAN. We wouldn't be publishing our own work if we
hadn't been able to do at least that well, right? You'll have to wait
for the actual numbers though.  Our talk will cover exactly how
different languages are vulnerable to this attack from the various
vantage points.

BTW, with providers like Amazon AWS and Slicehost, you have to assume an
attacker has a LAN-equivalent vantage point. So you've needed to protect
against at least 100 ns distinguishability for several years now.

I wouldn't take that bet on behalf of my users. I'd just fix the code.

-- 
Nate Lawson
Root Labs :: www.rootlabs.com
+1 (510) 595-9505 / (415) 305-5638 mobile
Solving embedded security, kernel and crypto challenges