Your paycheck is safe. It is a hypothetical attack, yes. Only observed under very specific conditions (with a comparator deliberately and parametrically slowed down - see the actual TR for details). Best reported resolution for this attack across a WAN has been microsecond resolution (still bloody impressive, imho), LAN at hundreds of nanoseconds. Typical time for individual character comparisons on commodity hardware is in the tens of picosecond range.
But having said that, even hypothetical attacks are often a code-stink of a badly reviewed implementation. But it won't be fairly obvious you're getting attacked in that way, unless you've specifically put in code or other tech to detect it. Most web-frameworks (Django included) just let that sail right by (rightly) assuming it isn't their job to worry. Ian. On Dec 9, 2:02 am, Mike Malone <mjmal...@gmail.com> wrote: > Yea... in reality I'd bet my paycheck that the answer is no. Despite Coda's > blog post, you can't use the jitter in HTTP requests to gain any insight > into where a string match fails. > > Even if you could do so with hundreds of requests, it's fairly obvious that > an attack is taking place when you get that many bad requests for one > account. > > Mike > > > > > > > > On Wed, Dec 8, 2010 at 12:10 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > > > On Wed, Dec 8, 2010 at 3:08 PM, Jonas H. <jo...@lophus.org> wrote: > > >> Hello out there, > > >> what is the point of `django.utils.crypto.constant_time_compare`? I > >> understand it takes O(n) time no matter what input it is feeded with, but > >> of > >> what avail is it? > > >> Can the time spent in *one single string comparison* really make such a > >> huge difference? > > >> Confused, > >> Jonas > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Django developers" group. > >> To post to this group, send email to django-develop...@googlegroups.com. > >> To unsubscribe from this group, send email to > >> django-developers+unsubscr...@googlegroups.com<django-developers%2Bunsubscr > >> i...@googlegroups.com> > >> . > >> For more options, visit this group at > >>http://groups.google.com/group/django-developers?hl=en. > > > In theory, yes. These are a class of attacks known as timing attacks: > >http://en.wikipedia.org/wiki/Timing_attack. That said I don't know of any > > actual real world attacks using these, but better safe than sorry. > > > Alex > > > -- > > "I disapprove of what you say, but I will defend to the death your right to > > say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > > "The people's good is the highest law." -- Cicero > > "Code can always be simpler than you think, but never as simple as you > > want" -- Me > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django developers" group. > > To post to this group, send email to django-develop...@googlegroups.com. > > To unsubscribe from this group, send email to > > django-developers+unsubscr...@googlegroups.com<django-developers%2Bunsubscr > > i...@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/django-developers?hl=en. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
