On Wed, Dec 8, 2010 at 3:08 PM, Jonas H. <jo...@lophus.org> wrote: > Hello out there, > > what is the point of `django.utils.crypto.constant_time_compare`? I > understand it takes O(n) time no matter what input it is feeded with, but of > what avail is it? > > Can the time spent in *one single string comparison* really make such a > huge difference? > > Confused, > Jonas > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-develop...@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com<django-developers%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > In theory, yes. These are a class of attacks known as timing attacks: http://en.wikipedia.org/wiki/Timing_attack. That said I don't know of any actual real world attacks using these, but better safe than sorry.
Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero "Code can always be simpler than you think, but never as simple as you want" -- Me -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
