Something not mentioned here is that timing attacks have been proven effective even across the internet; you might think "Oh the jitter in TCP is going to overwhelm any leaked information," but you would be wrong.
I do have the sentence "This difference is enough to measure, even on web applications." in the fourth paragraph. Should I highlight that a bit, bold maybe?
I'd also like a good reference for that, and my Google skills were failing me. Do you happen to have a link to something show that off?
I missed that on the first read-through. Invariably when you introduce someone smart to timing attacks they will say "Oh, but that's not going to be practical over TCP/IP.
I'd also like a good reference for that, and my Google skills were failing me. Do you happen to have a link to something show that off?