User tests: Successful: Unsuccessful:
https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx
Let's not compare hashes in a way that creates cryptographic
side-channels.
When you compare two hashes with the ==
or ===
operators, PHP will
internally use memcmp()
which returns false after the first byte fails
to match. This creates a side-channel (known in the literature as a
timing attack).
This patch uses hash_hmac() of the expected and supplied strings with a
random 32-byte nonce (a number to be used once) for each comparison,
thus making timing attacks useless. (The output for the comparison
operation is no longer attacker-controllable, so attempting to measure
the time an request takes to fail is useless.)
Status | New | ⇒ | Pending |
Labels |
Removed:
?
|
Hi guy,
I could not test this issue. I got this error "The patch could not be applied because the repository is missing". I'm on Joomla! 3.4.4-dev.
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-08-21 13:33:39 |
Closed_By | ⇒ | sarciszewski |
Here's another good explanation -
http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/