Message162880
| Author |
christian.heimes |
| Recipients |
christian.heimes, fijall, hynek, loewis, ncoghlan, petri.lehtinen, pitrou |
| Date |
2012年06月15日.10:00:20 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1339754422.02.0.747287512063.issue15061@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Oh dead god, what have I done ... I threw a small stone and caused a major landslide. :)
I'm all with Nick on this topic. A correctly named and documented function provides a tool to users that greatly reduced the change of a side channel attack. It's all about teaching good practice. I also agree that we must neither call it 'secure' nor documented it as 'secure'. I believe the correct term is 'hardened against timing analysis and side channel attacks'
I could wrap up a quick C implementation if you like. The operator module is a better place for a total_compare() function. Do you a agree?
I recommend that you read/watch Geremy Condra's PyCon talk "Through the Side Channel: Timing and Implementation Attacks in Python". The slides contain timing analysis diagrams. |
|