[security] Widespread Timing Vulnerabilities in OpenID implementations

Nate Lawson nate at rootlabs.com
Wed Jul 14 16:02:00 UTC 2010


Pádraic Brady wrote:
> http://codahale.com/a-lesson-in-timing-attacks/
> 
> The article makes a good case for taking even network operations seriously. It's 
> like brute force, except the force required should diminish over time. The 
> result is that a little preemptive action now, may prevent a lot of pain later. 
> I'm not sure I'd take the side of it being a serious problem just yet, but "just 
> yet" doesn't mean "completely ignore". As the OP has stated, there is a clear 
> trend to fix this vulnerability (potential or otherwise) where possible.

Yes, I agree. BTW, that article cites our original finding in Google
Keyczar back in May 2009.

> P.S. Hope the Blackhat USA slides are put up somewhere ;)

Yes, after the talk it will be online.

-- 
Nate Lawson
Root Labs :: www.rootlabs.com
+1 (510) 595-9505 / (415) 305-5638 mobile
Solving embedded security, kernel and crypto challenges



More information about the security mailing list