Comment 4 for bug 1795800
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote Re: Username enumeration via response timing difference | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
There are a number of things here that make it difficult to solve:
1) High level languages are much harder to solve these types of issues in (e.g. Python)
2) There is high variance on response times based upon hardware, caching, etc.
3) We already get massive complaints when auth times go up a minute amount per request (250ms increase generates these)
While I agree that there is some level of "it would be nice to mitigate guessing of usernames". I think this is going to be a Class D[0] bug and we should be able to open this up to the public, and generate discussion on acceptable solutions (fixed minimum auth times, random sleeps with fixed minimums, samples of real auth responses, a tuneable to set a minimum + sleep, etc).
[0] https:/