[issue14532] multiprocessing module performs a time-dependent hmac comparison
Nick Coghlan
report at bugs.python.org
Sun Jun 10 17:16:25 CEST 2012
Nick Coghlan <ncoghlan at gmail.com> added the comment:
A comment above the length check referring back to this issue and the deliberate decision to allow a timing attack to determine the length of the expected digest would be handy.
I was just looking at hmac.secure_compare and my thought when reading the source and the docstring was "No, it's not time-independent, you can still use a timing attack to figure out the expected digest length".
----------
nosy: +ncoghlan
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14532>
_______________________________________
More information about the Python-bugs-list
mailing list