Seriously KeePass? Just fix the damn timing attack instead of wasting time explaining why it's not an issue. http://keepass.info/help/kb/sec_issues.html …
-
-
Replying to @CiPHPerCoder
I dunno, understanding your threat model is important.
1 reply 0 retweets 3 likes -
Replying to @taviso
That's certainly true, but this particular problem is always a quick fix. The docs read like, "this is why we're not fixing it".
2 replies 0 retweets 0 likes -
Replying to @CiPHPerCoder @taviso
On top of that, a simple fix such as this should be resolved regardless of the context where it is used since that may change in the future.
1 reply 0 retweets 1 like -
Replying to @EdOverflow @CiPHPerCoder
It depends, the "fix" is to use a slower algorithm. That isn't always the right choice.
1 reply 0 retweets 1 like -
-
(Benchmarks available for PHP here: http://blog.ircmaxell.com/2014/11/its-all-about-time.html …)
1 reply 0 retweets 2 likes -
There are situations where a fast-failing comparison operator is valuable, and that can be a separate function.
1 reply 0 retweets 1 like -
Related: https://cryptocoding.net/index.php/Coding_rules#Prevent_confusion_between_secure_and_insecure_APIs …
1 reply 1 retweet 1 like
I'm sure if they ever change their threat model, that will be useful. But come on, bigger fish to fry :)
-
-
Replying to @taviso @CiPHPerCoder
Talking about time, in the time it took them to write why they won't fix it, they could have fixed the issue. ;)
1 reply 0 retweets 0 likes -
Replying to @EdOverflow @CiPHPerCoder
Where do they say the issue is time? Clearly it's a trivial change, but as it's not a bug, why make it slower?
1 reply 0 retweets 0 likes - 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.