Breno de Medeiros wrote: > On Fri, Jul 16, 2010 at 08:02, Pádraic Brady <[email protected]> wrote: >> I can only speak for PHP, but the function is also multiples slower than a >> native comparison from when I was implementing it last year. Not all that >> surprising given PHP is also built on C (to the point it practically copies >> functions) so it should resolve similarly. > > The only fair comparison here is when the two inputs are equal. > Lengthening the time of computation when the inputs are different is > the goal of this fix.
Yes, that's what I was checking on. >> Just on implementations - have you notified these directly? Not all of them >> may be paying attention to this list since it's not necessarily >> implementation specific. No, there are too many. We've also notified all OAuth, various web frameworks, and others not yet public. There are at least 30 known affected libraries and up to double that unknown. We can't review everything. -- Nate Lawson Root Labs :: www.rootlabs.com +1 (510) 595-9505 / (415) 305-5638 mobile Solving embedded security, kernel and crypto challenges _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
