|
|
|
|
|
|
by kapp_in_life
1301 days ago
|
|
|
Not really. It doesn't rely on that big of an assumption, nor does it require nation state resources[0]. When you're trying to find the secret you can make a bunch of requests and measure for statistically significant change, which can still be detectable beyond jitter & web server load. Also ignoring the fact that calling constant_strcompare(string, string) instead of strcompare(string, string) when working with secrets isn't that big of an ask. [0] https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf |
|
|