Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030401075429.GA17448@openwall.com>
Date: Tue, 1 Apr 2003 11:54:29 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtual.c another question

On Sun, Mar 30, 2003 at 01:57:08PM +0400, Solar Designer wrote:
> On Sun, Mar 30, 2003 at 01:29:38PM +0600, Boris Kovalenko wrote:
> > virtual.c/virtual_userpass
> > fail = 0;
> > if (!is_valid_user(user)) {
> >      user = "INVALID";
> >      fail = 1;
> > }
> > .... many other code
> > 
> > Why to run other code if we already know that user is invalid? Why lstat 
> > directory and try to open file for this "INVALID" user?
> 
> This is to reduce information leaks via timing.

I've got a few more questions about this, so I'll explain on the list.

The attack this approach is meant to deal with relies on measuring the
time it takes the server to process an authentication request.  If
the time would be very different depending on the authentication
failure reason, it would be easy to determine that reason remotely.

-- 
/sd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.