You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When gRPC credentials are validated, an error is returned if either the username or passphrase are incorrect. However, a failed username check will fail the validation immediately without checking the passphrase. This could introduce a timing attack.
It should always be the case that both a supplied username and passphrase are validated before returning a generic error to the caller.
The text was updated successfully, but these errors were encountered:
AaronFeickert
changed the title
Authentication timing could leak username correctness
Early authentication timing failure could leak username correctness
Nov 4, 2023
When gRPC credentials are validated, an error is returned if either the username or passphrase are incorrect. However, a failed username check will fail the validation immediately without checking the passphrase. This could introduce a timing attack.
It should always be the case that both a supplied username and passphrase are validated before returning a generic error to the caller.
The text was updated successfully, but these errors were encountered: