Remix clone Hacker News

or you could benchmark the functions that compare secrets to user input and figure out how much time it's supposed to take, add 0.5s to the average and always add time before responding to get to that target so essentially your response time is constant regardless of input

▲

tptacek 5 days ago | parent [-]

Important to keep in mind here that the timing attacks Kettle is talking about generally do not take the form of "providing secret input to a function with variable timing".

	▲	jack_pp 4 days ago \| parent [-]
		He says this exact same thing in the Defense at the end: > Finally, yes I do recommend using constant-time functions when comparing user input with secret keys. Just ask anyone who says this is an actual threat to provide a proof of concept.