This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou
Date 2012-06-15.07:28:41
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1339745322.17.0.324661024268.issue15061@psf.upfronthosting.co.za>
In-reply-to
Content
Can people please stop raising a false dichotomy and using that as an excuse not to do anything?

The decision is not between "leak some information" and "leak no information". It is between "leak more information" and "leak less information".

The timing variations with standard comparison are relatively massive and relatively easy to analyse (if the time taken goes up, you got the previous digit correct).

With this comparison, they're far more subtle and require much greater analysis to figure out the significance of the timing changes. That reduces the pool of attackers to those capable of performing that analysis (or in possession of tools that will perform that analysis for them).

Yes, the docs and name are currently completely unacceptable. But scorched earth is not a good answer, because that just means people will fall back to using "==" which is *even worse* from a security point of view.
History
Date User Action Args
2012-06-15 07:28:42ncoghlansetrecipients: + ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, hynek
2012-06-15 07:28:42ncoghlansetmessageid: <1339745322.17.0.324661024268.issue15061@psf.upfronthosting.co.za>
2012-06-15 07:28:41ncoghlanlinkissue15061 messages
2012-06-15 07:28:41ncoghlancreate