On Thu, 2010-12-09 at 00:54 -0800, Mike Malone wrote: > If you can show me a viable timing attack, over the Internet, under > reasonable real-world circumstances, and caused by something as > negligible as a single string comparison I will give you my paycheck. > And I will eat my laptop.
We don't just have the internet to worry about - given the places Django is used, we must consider datacentres and LANs, and even shared hosting. Shared hosting is probably the only one close to being exploitable at the moment for our usage. My quick, fairly crude tests with python timeit suggest a single character can take 2ns to check. I've struggled to find information on time resolution for local timing attacks, but I don't think 2ns is far off being exploitable. Luke (For reference, I used a command line like: python -m timeit -s 'x="x2345678901234567890"; y="12345678901234567890"' 'x == y' and then moved the 'x' in the first one along. I tried some other variations too. There are some 'end effects' which I tried to remove.). -- "My capacity for happiness you could fit into a matchbox without taking out the matches first." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
