Perhaps those could be attacked. It's possible though that it's not feasible, that the possible inputs leading to a certain timing signature are just too many to get any data out of it.
Consider that those programs are not making any effort whatsoever to run in constant time, and yet no one has shown any timing attack against them. OpenSSL has taken great pains to have constant execution time, and yet subtle processor features like this still introduce enough time differences to recover the keys.
> It's possible though that it's not feasible, that the possible inputs leading to a certain timing signature are just too many to get any data out of it.
That's plausible, but a very different argument from the original, that read:
> In contrast, the timing of virtually any email operation is not dependent on the contents of the email, other than the size.
Consider that those programs are not making any effort whatsoever to run in constant time, and yet no one has shown any timing attack against them. OpenSSL has taken great pains to have constant execution time, and yet subtle processor features like this still introduce enough time differences to recover the keys.