On Thu, Sep 29, 2011 at 09:07:37PM +0200, Stephan Beal wrote: > On Thu, Sep 29, 2011 at 8:57 PM, Dmitry Chestnykh > <dmi...@codingrobots.com>wrote: > > > I posted a link about this concern: > > http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ > > > So why not simply add the following logic to server mode: > > A) fetch config option "add-random-sleep" (integer, default=0) > B) if ((A)>0) AND user is nobody, sleep for random 1..(A) ms. (This attack > would seem to be useless for anyone but the nobody user. If you're logged > in, you've got your password, and anonymous gets a random password). >
I think that you are adding white noise. It can be averaged out. Isn't the code from dmitry more reliable and simple? Well, if someone has studied those attacks, and the code by dmitry looks fine and works based on some heavier studies than our first thoughts on that, let's use it. No? Regards, Lluís. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
