Hacker News new | past | comments | ask | show | jobs | submit login

Do you care about that kind of side channel for an offline vault?

If your adversaries are on your box while you operate your vault, then you have already lost because they will also have keyloggers, strace, etc.




What if they hack your dropbox account and get a copy of the vault that way? They're not on your box, but now they can try to break into your vault.


Well, the decryption code is open source. And they have the ciphertext. So what does a timing attack give the attacker?

If keeppass removes the possible timing attack, the attacker could just add it back in and use their own client, if they have a copy of your database.


Then a timing side channel is not relevant, because they won't be watching you operate the vault. Right?


Why be OK with bad crypto?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: