-
_(discussed at TPAC 2016; rough notes and summary of discussed ideas below)_
Read [Hero Element Timing API](https://docs.google.com/document/d/1yRYfYR1DnHtgwC4HRR04ipVVhT1h5gkI6yPmKCgJkyQ/edit) doc f…
-
The timing attack algorithm should be able to discover a valid, hard-coded, API key with zero knowledge.
Some ideas:
- [ ] Brute force the last N chars
- [ ] In systems with many valid API keys it mi…
-
This is a followup to:
https://groups.google.com/a/chromium.org/d/msgid/progressive-web-metrics/CAHTsfZD1zJp6unenAyu%2BKoDJLAfKG41Mm2mmbT9gUKzoMvnxWQ%40mail.gmail.com
At Facebook when we measur…
-
The HMAC hash algo that's supposed to decrypt secret tokens from GitHub isn't working properly. c.f. the [webhooks page](https://github.com/jeancochrane/bunny-hook-deploy/settings/hooks/22647480#deliv…
-
Passive sniffing of encrypted traffic, and time size correlation, is one of the most effective attacks against encrypted web application traffic.
I believe that in an highly interactive webapp, some …
vecna updated
12 years ago
-
We're confused about part of the `ECVRF_prove` function. `ECVRF_prove` calls `GeScalarMult` to multiply `h` by the secret scalar `x`. `GeScalarMult` calls `edwards25519.GeDoubleScalarMultVartime` on `…
-
### Checklist
- [x] I have searched for existing issues for issues like this one. The issue has not been posted. (Duplicate reports slow down development.)
- [x] I have provided reproducable ste…
-
Syncing code should be reviewed for any potential
* [ ] Eclipse or attention stealing attacks.
* [ ] DOS attacks on memory. All data collected per peer or globally should be bounded.
* [ ] DOS at…
-
## CVE-2018-5407 - Medium Severity Vulnerability
Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g
Vulnerability Details
Simultaneous Multi-threading (SMT) in processor…
-
Add as a config option the ability to set constant time.
Some operations (e.g. encryption/decryption) require processing the entire contents of the input before throwing exception in order to mitig…