The HmacSha1SigningProvider is vulnerable to a remote timing attack in the way
the signatures are compared. Comparison needs to be done in a manner that will
take a constant amount of time regardless of success or failure. You can read
more about timing attacks at http://codahale.com/a-lesson-in-timing-attacks/.
I've attached a patch that passed all the unit tests on my end.
Original issue reported on code.google.com by jdow...@gmail.com on 12 Jul 2011 at 11:26
Original issue reported on code.google.com by
jdow...@gmail.comon 12 Jul 2011 at 11:26Attachments: