This is a positive example of dev + security interaction, even though roughly 2 years ago - https://github.com/antirez/redis/issues/560 …
@cktricky yeah, finding the signal in the noise and turning that into plaintexts, passwords, MACs, or private keys ;)
-
-
@bascule Yessir, I'd love to see/make a practical demo for Rack::Util.secure_compare but its a lack of "time" issue (see what I did there) -
@cktricky full blown PoC is hard, but I’d be happy measuring data dependent timings in various hand-rolled crypto implementations -
@bascule THAT would be super interesting. Hand rolled as in popular open source implementations? -
@cktricky mostly people using ancient C implementations of AES, or implementing algorithms themselves in e.g. Rust -
@bascule Hmm, I'd be both interested in, as well as to help with, a project like that for sure. -
@cktricky been working on it in Rust. Hard to apply elsewhere because GC and such screws up timings. Even OS scheduling adds noise -
@bascule Understood and Rust seems to be gaining quite a bit of adoption, especially from Rubyists.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.