[security] Widespread Timing Vulnerabilities in OpenID implementations
Nate Lawson
nate at rootlabs.com
Wed Jul 14 16:02:00 UTC 2010
Pádraic Brady wrote:
> http://codahale.com/a-lesson-in-timing-attacks/
>
> The article makes a good case for taking even network operations seriously. It's
> like brute force, except the force required should diminish over time. The
> result is that a little preemptive action now, may prevent a lot of pain later.
> I'm not sure I'd take the side of it being a serious problem just yet, but "just
> yet" doesn't mean "completely ignore". As the OP has stated, there is a clear
> trend to fix this vulnerability (potential or otherwise) where possible.
Yes, I agree. BTW, that article cites our original finding in Google
Keyczar back in May 2009.
> P.S. Hope the Blackhat USA slides are put up somewhere ;)
Yes, after the talk it will be online.
--
Nate Lawson
Root Labs :: www.rootlabs.com
+1 (510) 595-9505 / (415) 305-5638 mobile
Solving embedded security, kernel and crypto challenges
More information about the security
mailing list