Hi Padraic,
On Thu, Feb 6, 2014 at 9:42 AM, Pádraic Brady <[email protected]>wrote:
> Using time delays with a random distribution will simply average out since
> it would have a minimal min to max range. Would work for a few requests but
> not the thousands an exploit would possibly use to get a statistical sample
> for analysis.
>
I agree. Although it works as mitigation, we should not rely on it.
That said, since we don't have good mitigation for length leak,
it may worth to consider as length detection mitigation.
For example, read few random bytes and add them to get number of
iterations, then iterate something for the number. Although it's not
perfect, it makes much harder than nothing.
Regards,
--
Yasuo Ohgaki
[email protected]