Re: little request :)

From: Date: Thu, 06 Feb 2014 05:49:59 +0000
Subject: Re: little request :)
References: 1 2 3 4  Groups: php.internals 
Request: Send a blank email to internals+get-72321@lists.php.net to get a copy of this message 
Rouven Weßling wrote:

Hiding a string length is really tricky, and only possible to a more

limited extent than hiding byte value differences.
That's probably a good conclusion. I think we should just document this as potentially leaking information about the length. If we do find ways to reduce this, by all means, we should take them.


Another one of my silly questions ...
What exactly are we trying to protect against?
As I understand it, the 'timing attack' is measuring the time it takes to get a response form a login attempt? It is then using the time to make assumptions about valid and invalid user names? So having got what it thinks is a valid name it can then target an attack for the password? My own accesses to this information are direct to a database query so none of the comparisons you are looking at affect me, but at the PHP level I add delays based on previous failures, so three attempts at a login give a longer delay. One protects against the password attack rather than worrying too much about if the user name is valid? In most cases a public email address is also the user name anyway?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

Thread (42 messages)

« previous php.internals (#72321) next »