search

apiguy / go-hmacauth

HMAC Auth for Martini web applications
MIT License
38 stars 4 forks source link

comparing ab.Signature != signString(sts, sk) is insecure #2

Open edulix opened 10 years ago

edulix commented 10 years ago

you should use a constant time comparison if you don't want to be vulnerable to side channel timing attacks.

asura-10 commented 4 years ago

timestamp is already checked. Then, is have some vulnerable points still?