-
There are a series of places where implementations can (and currently do) make choices with regards to (a) whether and (b) what prompts are shown to the user.
For example, in Chrome's implementatio…
-
```yaml
id: 451
title: 'RVD#451: DDS cryptographic plugin, AES_GCM subject to forgery, key recovery
and timing attacks, and nonce replay attacks'
type: vulnerability
description: For the cryptograph…
-
This is proposing a check in Brakeman that could detect and warn on code that smells like it might be vulnerable to a timing attack that reveals a secret.
One pattern that would detect some vulnera…
-
Someone pointed me to this terrifying piece of arm64 documentation.
https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/DIT--Data-Independent-Timing
It's a flag that ensure…
-
> Marvin Attack: potential key recovery through timing sidechannels
| Details | |
| ------------------- | ---------------------------------…
-
I've written down a simple idea that may help a great deal. We should implement it, if only because it's simple and because it'll make it easier to reason about it effectively.
- branch: 2015-06-06-m…
-
[Example snippet](https://github.com/caffeinehit/django-oauth2-provider/blob/6b5bc0d3ad706d2aaa47fa476f38406cddd01236/provider/oauth2/backends.py#L73-L82)
It appears that OAuth2 backends are using da…
-
OpenSSL's implementation was not constant time and could be attacked by an otherwise unprivileged attacker with code execution [resulting in secret disclosure ](https://eprint.iacr.org/2021/553).
T…
-
Several algorithms and protocols supported by OpenSSL are obsolete. These include (but are not limited to)
- RC5
- RC4
- MD2
- MD4 (sadly still used by NTLM compat stuff)
- RIPE-MD
- SSL (all…
-
> Marvin Attack: potential key recovery through timing sidechannels
| Details | |
| ------------------- | ---------------------------------…