[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] Potential Timing Side-channel in Freetype Library
From: |
Roland Mainz |
Subject: |
Re: [ft-devel] Potential Timing Side-channel in Freetype Library |
Date: |
Tue, 19 Feb 2019 20:53:20 +0100 |
On Tue, Feb 19, 2019 at 7:18 PM Alan Coopersmith
<address@hidden> wrote:
>
> On 02/19/19 06:11 AM, Alexei Podtelezhnikov wrote:
> >> an unprivileged attacker could potentially utilize flush+reload cache
> >> side-channel attack to measure the execution time of said subroutine to
> >> infer user input.
> >
> > Isn't it why my passwords show up as ●●●●●●●●● in sensible applications?
>
> From the paper it seems the problem is mainly in those apps, mainly mobile,
> that show the character for a second before transforming to a star or
> bullet, to help people notice when they fat-fingered on their touch
> screen keyboard.
Well, the old-style solution here is to load multiple glyphs at the
same time, like one unicode block (256 chars), or in 16 char "blocks".
Whatever people are measuring than is pretty much useless because the
compute time spans many glyphs and is summed-up across them... =:-)
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) address@hidden
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)