null bytes + bcrypt = problem:http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html …
@solardiz @ircmaxell Does it matter if that's an erroneous password that will never be accepted?
-
-
@RichFelker Oh, if "error-out early" is literal, it's OK, but@ircmaxell and I were discussing (via e-mail) what can be done in practice -
@solardiz@RichFelker We could turn it into an exception... Which still leaks timing information about password length for normal pw's -
@ircmaxell@solardiz I think we're misinterpreting what each other are saying. Twitter probably isn't the right medium for this discussion. -
@RichFelker@solardiz I'm on freenode and efnet if you want to ping me on IRC...
End of conversation
New conversation -
-
-
@RichFelker@ircmaxell In practice, a warning can be issued and the function should proceed anyway, in case the app doesn't check for errorThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.