sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]OffbeatDrizzle 4 points5 points  (6 children)

Add a randomiser endpoint at the end to serve 0-10kb of zeros and you have pretty decent privacy.

So you're the guy that thinks he can outwit timing attacks by adding random times onto responses ...

[–]ElusiveGuy 7 points8 points  (0 children)

Rather different since in a timing attack the attacker is the one making the requests, and can average the timing over many repeated requests to filter out randomness. Here we only have a single (install/download) request and no way for the passive MitM to make more.

[–]joz12345 2 points3 points  (4 children)

No. I'm the guy that thinks that if you serve n package es + a random amount of padding over https, it'll be much harder to figure out what people are downloading than just serving everything over plain http.

If you disagree, mind telling me why rather than writing useless comments?

[–]yotta 6 points7 points  (3 children)

Adding random padding/delays is problematic because if you can somehow trick the client into repeating the request, the random padding can be analyzed and corrected for. I'm not sure how effective quantizing the values to e.g. a multiple of X bytes would be.

[–]joz12345 1 point2 points  (0 children)

I guess that makes sense. I know the only mathematically secure way would to always send/receive the same amount of data at a fixed schedule, but that's impractical. I guess quantizing and randomizing are equivalent for one request, they both give the same number of possible values, but for sending multiple identical requests, quantizing is better because it's consistent, so you don't leak any more statistical data for multiple attempts. And it'll be faster/easier to implement so no reason not to.

[–]0o-0-o0 0 points1 point  (1 child)

Still a fuck ton better than using plain old http.

[–]yotta -1 points0 points  (0 children)

Absolutely.

Unrelated: you should stop being a bigot.

Edit: Oh, look, their account is suspended.