Comment 6 for bug 1795800
Revision history for this message
| Gage Hugo (gagehugo) wrote Re: Username enumeration via response timing difference | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Test this with a containerized OpenStack deployment that runs pretty fast, both authenticating successfully and by providing a non-existent username produced a difference of ~0.020 seconds.
I agree with both Morgan and Jeremy, there likely isn't a very straightforward method to fixing this, as it greatly depends on the overall setup: deployment (VM/container), caching mechanisms, and hardware will all factor into this. Making this public and having a discussion on it is likely the preferred method for tackling this issue.