<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV></DIV>
<DIV><A href="http://codahale.com/a-lesson-in-timing-attacks/">http://codahale.com/a-lesson-in-timing-attacks/</A></DIV>
<DIV> </DIV>
<DIV>The article makes a good case for taking even network operations seriously. It's like brute force, except the force required should diminish over time. The result is that a little preemptive action now, may prevent a lot of pain later. I'm not sure I'd take the side of it being a serious problem just yet, but "just yet" doesn't mean "completely ignore". As the OP has stated, there is a clear trend to fix this vulnerability (potential or otherwise) where possible.</DIV>
<DIV> </DIV>
<DIV>P.S. Hope the Blackhat USA slides are put up somewhere ;)<BR> </DIV><SPAN style="COLOR: rgb(0,0,191)"><FONT style="FONT-FAMILY: times new roman, new york, times, serif" size=3><SPAN style="FONT-WEIGHT: bold">Pádraic Brady<BR><BR></SPAN></FONT><SPAN style="FONT-STYLE: italic"><FONT style="FONT-FAMILY: times new roman, new york, times, serif" size=3><A href="http://blog.astrumfutura.com/" target=_blank rel=nofollow>http://blog.astrumfutura.com</A><BR><A href="http://www.survivethedeepend.com/" target=_blank rel=nofollow>http://www.survivethedeepend.com</A><BR><A href="http://www.openideurope.eu/" target=_blank rel=nofollow>OpenID Europe Foundation Irish Representative</A><BR></FONT></SPAN></SPAN>
<DIV><BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR>
<DIV style="FONT-SIZE: 8pt; FONT-FAMILY: tahoma, new york, times, serif"><FONT face=Tahoma size=2>
<HR SIZE=1>
<B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Eric Norman <ejnorman@doit.wisc.edu><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> openid-security@lists.openid.net<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wed, July 14, 2010 7:12:56 AM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [security] Widespread Timing Vulnerabilities in OpenID implementations<BR></FONT><BR></DIV></DIV></div></body></html>