On Fri, 07 Feb 2014 12:10:53 +0000, Lester Caine <lester@...>
wrote:

> PHP is being exercised at the moment by
> http://en.m.wikipedia.org/wiki/Timing_attack and it's ease of use for

PHP

> applications. Since I do that bit on secure sites in an SQL query is it
> something that is likely to be susceptible to this type of attack? I'm
> talking
> about stored data, but the database password itself has just come to

mind!

Are you sure this is about (cryptographic) timing attacks (which is
essentially about being able to glean information about the encrypted
information, cryptographic key etc by the time something takes), or about
TOCTTU problems (http://en.wikipedia.org/wiki/Time_of_check_to_time_of_use)
or about time related information gathering (eg login failure takes longer
when the user does exist, making it possible to find out if a user exists
or not).

> I only ask because I got a grilling from an 'independent security

expert'

> at one
> of my customers yesterday. One of his solutions to his identified

security

> problems was to replace the two XPHome machine licenses with windows
> server
> ones! Apparently you never could use XPHome legally for business use? So
> I'm not
> particularly bothered by the nitpicking, but it would be nice to be able
> to
> speak with some confidence on these things :)

As far as I know the XP Home license does not allow server use, but I
don't see how this would be related to security issues.

Mark