Comment 11 for bug 1265665

I think that yes, it would be helpful to mention that an object name must already be known in order to use this attack.

Also, the object's account must have a TempURL key set (X-Account-Meta-Temp-URL-Key or X-Account-Meta-Temp-URL-Key-2) in order for this to work; without that, there are no valid signatures at all, so no amount of timing analysis will help.