Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Your code has precisely the timing attack he tried to describe in it. You're returning early when a user doesn't exist.


So? I'm advocating showing the correct error message... a timing attack is irrelevant in this case.

For that matter, adding a random 500-2000ms timer before returning a failed result would likely be as effective, and not lead to a bad user experience.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: