I guess I'm missing the practical vector associated with the "compare" timing at... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

dclowd9901 on April 29, 2016 | parent | context | favorite | on: Front-End Performance: The Dark Side

I guess I'm missing the practical vector associated with the "compare" timing attack. All of the js source code is available to see in a debugger, as well as all of the stored memory values. If you've put sensitive information (a secret) in the browser, you've already failed...

mathias on April 29, 2016 [–]

That’s true for client-side JavaScript (like I said in the presentation).

It’s a whole different story if you’re using server-side JavaScript (e.g. Node.js), though.

dclowd9901 on April 29, 2016 | [–]

Absolutely true, but this presentation was about "front end"; maybe I misunderstand the usage of that term...

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact