On Sat, Jun 27, 2015 at 2:38 AM, Steven D'Aprano <st...@pearwood.info> wrote: > Can you [generic you] believe that attackers can *reliably* attack remote > systems based on a 20µs timing differences? If you say "No", then you fail > Security 101 and should step away from the computer until a security expert > can be called in to review your code.
Of course. I wouldn't bet the house on it, but with the proposed substitution cipher system, I don't see why there would be any measurable timing differences at all based on the choice of key. The time to obfuscate a single byte is constant, so the total time to obfuscate the payload should just be a function of the length of the data. Secondly, the 200 (or whatever) response to the client does not depend on the outcome of the obfuscation step, so there is no reason that the server cannot simply respond first and obfuscate after, giving the client nothing to time. -- https://mail.python.org/mailman/listinfo/python-list