Readme is unclear regarding timing attacks

[Fuzzypeg]

the README.md makes apparently contradictory statements regarding timing attacks:

The bcrypt comparison function is not susceptible to timing attacks.

And, the comparison function is not time safe. What that means is that it may exit the function early in the comparison process.

Which is it? Is it susceptible to timing attacks or not? I suspect the first of these statements is supposed to read "The bcrypt comparison function is susceptible to timing attacks"?

[recrsn]

Bcrypt is a first pre-image resistant hash algorithm which makes timing attacks improbable unless there is a severe flaw in bcrypt algorithm itself.

To create a timing attack for a hash comparison where you try to guess the plain text, the hash algorithm has to behave predictably for incremental variations of input. Algorithms which are first preimage resistant do not belong to this category.

Timing attacks are more relevant in context of signatures (such as JWT) where the server calculates a hash and compares it against an user supplied value. A non-constant time operation can leak the correct hash and you can perform a known plain-text attack to recover the private key.

[Fuzzypeg]

@recrsn I understand what a timing attack is. What I don't understand is whether bcrypt's comparison function is susceptible. Because the README says that it is, and it also says that it isn't. Read what I quoted (above). Both statements can't be correct.

[recrsn]

Thanks for the clarification.

It should have been something similar to The bcrypt algorithm when used for its intended purpose, is not susceptible to timing attacks. Would you like to make a PR with the changes?