tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: const time authentication in bozohttpd

On Wed, Jun 25, 2014 at 07:02:09AM -0500, Terry Moore wrote:
> Perhaps this is a silly comment; but wouldn't it be easier to simply time
> stamp the incoming request, and then spin for any authentication failure
> until a suitable fixed time has elapsed after the inbound arrival? Or are
> you worried about local cache-interference attacks as well?

It might be a solution, but I don't see any reasonable implementation, i.e.
it would be hard to guess how long the code will run. I'm not worried about
local cache-interference, I want to countermeasure attackers from the remote.

 Kind Regards,

Home | Main Index | Thread Index | Old Index