[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] Potential Timing Side-channel in Freetype Library
|
From: |
Werner LEMBERG |
|
Subject: |
Re: [ft-devel] Potential Timing Side-channel in Freetype Library |
|
Date: |
Tue, 19 Feb 2019 21:49:49 +0100 (CET) |
>> What I could imagine, however, is to add some random fuzz so that
>> the rendering time varies by an additional value N (with N to be
>> set by the library user). I can imagine that this would
>> sufficiently reduce the repeatability, making it much harder to
>> execute the attack as described in your paper.
>
> I don't think that belongs in FreeType.
Maybe, yes. The suggestion to load the script's Unicode block as a
whole in advance sounds like a good suggestion – for passwords and the
like you only need a single font at a single size, so this should be
manageable. For CJK scripts and the like, the number of available
glyphs probably prevents easy password recognition anyway, I think.
Werner