Comment 5 for bug 1795800
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Username enumeration via response timing difference | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
My opinions mirror those expressed by Damien Miller in his oss-security ML followup[*] about CVE-2018-15473 for a similar report in OpenSSH. To summarize, it isn't actually a user enumeration bug, it's a timing oracle which can lead to user enumeration via brute-force mechanisms, and there's a wide gulf of criticality between the two. The usual mitigations against brute-force attacks apply here.
As he noted and Morgan also stated above, it's really impractical to eliminate these sorts of oracles and most ways we might attempt to accomplish that are also likely to introduce noticeable performance regressions. I know it's been a modern shift to start considering usernames sensitive data, but strong passwords/keys should be the focus for protecting authentication so any system design which is weakened by username disclosure is already severely flawed.
If there are ways to improve or mitigate this particular situation in software then I'm not against discussing them, but I agree it's not necessary to do so under embargo.
[*] https:/