[liberationtech] In defense of client-side encryption
Ximin Luo
infinity0 at gmx.com
Mon Aug 12 07:42:46 PDT 2013
On 12/08/13 14:02, Ben Laurie wrote:
> On 12 August 2013 06:14, Ximin Luo <infinity0 at gmx.com> wrote:
>> How is it possible to defend against timing attacks in JS? Any language theoretically can be complied into anything, but the JS runtime does not give you much control in what the CPU actually executes. The webcrypto WG you linked to looks interesting, if browsers will provide a native crypto API to JS, preinstalled (at least the mathy bits that you need direct execution control over) as opposed to loaded on-demand by a remote server. Did you ever think about having the cryptocat browser extension using a lower-level language? Firefox at least can run binary extensions; I don't know about Chrome.
>
> It is possible to defend against timing attacks by writing inherently
> constant time code. For example:
>
> https://github.com/openssl/openssl/commit/a693ead6dc75455f7f5bbbd631b3a0e7ee457965
>
> is full of such code.
>
But does this still necessarily hold after the JS compiler has had its way with it? I can imagine some optimisers perhaps turning code like
return a op b
into something like
if a == 0: return 0;
elif b == 0: return 0;
else return a op b
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
More information about the liberationtech
mailing list