Hi, I am a research at UT Austin.
Recently I found a timing channel that will leak the information about the existence of a user: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/ RealmBase.java#L399 Assuming the ServerDigest is sensitive, then doing pure string comparison will cause another timing channel: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/realm/ RealmBase.java#L428 Here is more information about timing attack: https://codahale.com/a-lesson-in-timing-attacks/ Thanks, Yu -- Yu Feng Graduate Research Assistant UT Austin | Computer Science 512-954-7627 | yuf...@cs.utexas.edu http://www.cs.utexas.edu/~yufeng/
