Hacker News new | ask | show | jobs
by ryalfalpha 4761 days ago
Haven't done much golang and don't have it installed on this laptop, but are string comparisons constant time?

If not, I think there is potential for a timing attack here?

if usr == _admin_usr && pw == _admin_pw { return RootMode, nil }
2 comments
omra 4761 days ago
Go does not have constant time string comparisons by default. The crypto/subtle package supplies constant time comparisons.
link
wilsonfiifi 4761 days ago
Thanks for pointing that out. Will look into it
link