Peter Stuge
2023-Jun-28 12:01 UTC
Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy wrote:> May I ask you to explain whether I am wrong in my conclusions?I guess it's not clear what problem you are trying to solve. //Peter
Dmitry Belyavskiy
2023-Jun-28 12:11 UTC
Defend against user enumeration timing attacks - overkill
Dear Peter, I'm trying to balance the original problem statement (protection from users enumeration) and avoid doubling time here if the process has already taken a long time to provide faster auth method iteration. I believe that a better solution is to set some arbitrary (probably configurable) timeout and, in case when we spend more time than that value, avoid doubling it. On Wed, Jun 28, 2023 at 2:04?PM Peter Stuge <peter at stuge.se> wrote:> > Dmitry Belyavskiy wrote: > > May I ask you to explain whether I am wrong in my conclusions? > > I guess it's not clear what problem you are trying to solve. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Dmitry Belyavskiy