This is a positive example of dev + security interaction, even though roughly 2 years ago - https://github.com/antirez/redis/issues/560 …
@cktricky lol timing attack on a password sent over a non-encrypted connection ;)
-
-
@bascule ha, two separate attack avenues but I can see the point… because the point was sent to Redis over cleartext lulz -
@cktricky people who think timing attacks on modern hardware aren’t possible misunderstand that both the network and attacks get better too -
@bascule Oh, I totally agree. While I'm no expert in timing attacks, I think it comes down understanding the baseline + identifying "noise" -
@cktricky yeah, finding the signal in the noise and turning that into plaintexts, passwords, MACs, or private keys ;) -
@bascule Yessir, I'd love to see/make a practical demo for Rack::Util.secure_compare but its a lack of "time" issue (see what I did there) -
@cktricky full blown PoC is hard, but I’d be happy measuring data dependent timings in various hand-rolled crypto implementations -
@bascule THAT would be super interesting. Hand rolled as in popular open source implementations? -
@cktricky mostly people using ancient C implementations of AES, or implementing algorithms themselves in e.g. Rust - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.