Depending on the implementation, yes timing attacks can be exploited in the field, not just in theory. Again much depends on a lot of variables involved.
Nate Lawson and Taylor Nelson had a great talk at BlackHat that covered piles of background and theory of timing attacks and successful exploitation. http://www.youtube.com/watch?v=ehxjAq59xEw&feature=related Part 3 is where they get into exploitation. Another talk Nate Lawson Google TechTalk: "When Crypto Attacks" "incorrenctly comparing hash value" at 30:00 - again I haven't looked at if the recommended counter measures in the contact_time_compare are what is recommended out there. http://timingattacks.org/nate-lawson-google-techtalk-when-crypto-attac Even if it's not 100% valuable to this thread those couple resources provide some great info for anybody wanting to understand timing attacks and their exploitability in more depth. -Adam Baldwin -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.