Nate, How do you ascertain that a given library is vulnerable? Just by code inspection and assume you understand the implications of the platform and surrounding code, or do you successfully exploit it to be certain?
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Jul 16, 2010 at 10:45 AM, Nate Lawson <[email protected]> wrote: > Breno de Medeiros wrote: > > On Fri, Jul 16, 2010 at 08:02, Pádraic Brady <[email protected]> > wrote: > >> I can only speak for PHP, but the function is also multiples slower than > a > >> native comparison from when I was implementing it last year. Not all > that > >> surprising given PHP is also built on C (to the point it practically > copies > >> functions) so it should resolve similarly. > > > > The only fair comparison here is when the two inputs are equal. > > Lengthening the time of computation when the inputs are different is > > the goal of this fix. > > Yes, that's what I was checking on. > > >> Just on implementations - have you notified these directly? Not all of > them > >> may be paying attention to this list since it's not necessarily > >> implementation specific. > > No, there are too many. We've also notified all OAuth, various web > frameworks, and others not yet public. There are at least 30 known > affected libraries and up to double that unknown. We can't review > everything. > > -- > Nate Lawson > Root Labs :: www.rootlabs.com > +1 (510) 595-9505 / (415) 305-5638 mobile > Solving embedded security, kernel and crypto challenges > >
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
