Message162875
FWIW, Petri's example also explains why leaking the expected length of the string is considered an acceptable optimisation in most reimplementations of this signature check comparison: the attacker is assumed to already know the expected length of the signature, because it's part of a documented protocol or API.
However, I think it's more reasonable for a standard library implementation to omit that optimisation by default. |
|
Date |
User |
Action |
Args |
2012-06-15 08:42:19 | ncoghlan | set | recipients:
+ ncoghlan, loewis, arigo, pitrou, christian.heimes, fijall, petri.lehtinen, hynek |
2012-06-15 08:42:19 | ncoghlan | set | messageid: <1339749739.21.0.659010422263.issue15061@psf.upfronthosting.co.za> |
2012-06-15 08:42:18 | ncoghlan | link | issue15061 messages |
2012-06-15 08:42:18 | ncoghlan | create | |
|