Not really. It doesn't rely on that big of an assumption, nor does it require na... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kapp_in_life on Nov 27, 2022 \| parent \| context \| favorite \| on: The Rune Programming Language Not really. It doesn't rely on that big of an assumption, nor does it require nation state resources[0]. When you're trying to find the secret you can make a bunch of requests and measure for statistically significant change, which can still be detectable beyond jitter & web server load. Also ignoring the fact that calling constant_strcompare(string, string) instead of strcompare(string, string) when working with secrets isn't that big of an ask. [0] https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

WhiteBlueSkies on Nov 27, 2022 [–]

If you could measure the time granularly as a client requesting some resource on the server how exactly would you know the time corresponds to the comparison and not to some tangential task?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact