Hacker News new | ask | show | jobs
by tptacek 5119 days ago
The leak that you're ostensibly timing is that in order to figure out how much of the candidate MAC string was valid, the target had to compare more byte, which takes more time, which adds observable lag to the error response.
1 comments
gav 5119 days ago
Is the observable lag for a string comparison significant enough to be useful?

We're talking about such small amounts of time compared to the overhead of the full web stack.

link
Mvandenbergh 5119 days ago
The observable lag isn't usually significant enough if you only do it once but over many requests the stochastic factors can be compensated for.
link