Re: Fwd: little request :)

From:	Yasuo Ohgaki	Date:	Thu, 06 Feb 2014 03:06:35 +0000
Subject:	Re: Fwd: little request :)
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Padraic,

On Thu, Feb 6, 2014 at 9:42 AM, Pádraic Brady <[email protected]>wrote:

> Using time delays with a random distribution will simply average out since
> it would have a minimal min to max range. Would work for a few requests but
> not the thousands an exploit would possibly use to get a statistical sample
> for analysis.
>

I agree. Although it works as mitigation, we should not rely on it.

That said, since we don't have good mitigation for length leak,
it may worth to consider as length detection mitigation.

For example, read few random bytes and add them to get number of
iterations, then iterate something for the number. Although it's not
perfect, it makes much harder than nothing.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (42 messages)

• Pierre JoyeWed, 05 Feb 2014 10:20:27 +0000
  • Yasuo OhgakiWed, 05 Feb 2014 22:57:17 +0000
    • Pádraic BradyThu, 06 Feb 2014 00:42:29 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 03:06:35 +0000
  • Stas MalyshevWed, 05 Feb 2014 23:00:10 +0000
  • Rouven WeßlingThu, 06 Feb 2014 00:06:26 +0000Re: little request :)
    • Tjerk MeestersThu, 06 Feb 2014 03:51:55 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 04:53:29 +0000
    • Lester CaineThu, 06 Feb 2014 05:49:59 +0000
      • Pierre JoyeThu, 06 Feb 2014 05:55:20 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 05:58:47 +0000
        • Lester CaineThu, 06 Feb 2014 23:18:51 +0000
          • Pádraic BradyThu, 06 Feb 2014 23:32:44 +0000
            • Tjerk MeestersFri, 07 Feb 2014 00:32:10 +0000
              • Yasuo OhgakiFri, 07 Feb 2014 01:01:45 +0000
            • Lester CaineFri, 07 Feb 2014 05:17:41 +0000
              • Sanford WhitemanFri, 07 Feb 2014 07:41:32 +0000
                • Pádraic BradyFri, 07 Feb 2014 10:54:16 +0000
              • Pádraic BradyFri, 07 Feb 2014 10:41:29 +0000
                • Lester CaineFri, 07 Feb 2014 11:20:08 +0000
                  • Lester CaineFri, 07 Feb 2014 22:10:12 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 22:45:28 +0000
                    • Pádraic BradyFri, 07 Feb 2014 23:06:28 +0000
                      • Yasuo OhgakiSat, 08 Feb 2014 03:50:17 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 23:56:29 +0000
                  • Sanford WhitemanFri, 07 Feb 2014 22:24:51 +0000
  • Solar DesignerThu, 06 Feb 2014 14:24:48 +0000Re: Fwd: little request :)
    • Yasuo OhgakiThu, 06 Feb 2014 21:45:41 +0000Re: Re: Fwd: little request :)
    • Pádraic BradyThu, 06 Feb 2014 23:44:58 +0000Re: Re: Fwd: little request :)
    • Tjerk MeestersMon, 10 Feb 2014 10:36:18 +0000Re: Re: Fwd: little request :)
      • Solar DesignerMon, 10 Feb 2014 11:45:22 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 19:50:15 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 20:09:42 +0000
        • Tjerk MeestersMon, 10 Feb 2014 23:55:41 +0000
          • Lester CaineTue, 11 Feb 2014 00:39:55 +0000
            • Robert ParkerTue, 11 Feb 2014 17:55:12 +0000
            • Robert ParkerTue, 11 Feb 2014 17:57:49 +0000
          • Solar DesignerTue, 11 Feb 2014 07:43:13 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 09:39:32 +0000
              • Solar DesignerWed, 12 Feb 2014 12:47:33 +0000
                • Pierre JoyeWed, 12 Feb 2014 14:49:38 +0000
                  • Lester CaineWed, 12 Feb 2014 16:34:14 +0000