null bytes + bcrypt = problem:http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html …
@solardiz @ircmaxell In that case the ideal behavior is probably to check the full length for nul bytes and error-out early.
-
-
@RichFelker@ircmaxell Even if the check itself is timing-safe, you'd have different timings and error logs for inputs with NULs vs. without -
@solardiz@ircmaxell Does it matter if that's an erroneous password that will never be accepted? -
@RichFelker Oh, if "error-out early" is literal, it's OK, but@ircmaxell and I were discussing (via e-mail) what can be done in practice -
@solardiz@RichFelker We could turn it into an exception... Which still leaks timing information about password length for normal pw's -
@ircmaxell@solardiz I think we're misinterpreting what each other are saying. Twitter probably isn't the right medium for this discussion. -
@RichFelker@solardiz I'm on freenode and efnet if you want to ping me on IRC...
End of conversation
New conversation -
-
-
@solardiz@ircmaxell That prevents the processing of data that will be silently misinterpreted in other contexts.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@RichFelker@ircmaxell The problem with "check the full length for nul bytes and error-out early" is it introduces side-channel leaksThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.