freetype-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft-devel] Potential Timing Side-channel in Freetype Library


From: Werner LEMBERG
Subject: Re: [ft-devel] Potential Timing Side-channel in Freetype Library
Date: Tue, 19 Feb 2019 21:49:49 +0100 (CET)

>> What I could imagine, however, is to add some random fuzz so that
>> the rendering time varies by an additional value N (with N to be
>> set by the library user).  I can imagine that this would
>> sufficiently reduce the repeatability, making it much harder to
>> execute the attack as described in your paper.
> 
> I don't think that belongs in FreeType.

Maybe, yes.  The suggestion to load the script's Unicode block as a
whole in advance sounds like a good suggestion – for passwords and the
like you only need a single font at a single size, so this should be
manageable.  For CJK scripts and the like, the number of available
glyphs probably prevents easy password recognition anyway, I think.


    Werner

reply via email to

[Prev in Thread] Current Thread [Next in Thread]