There's a fantastic paper Nate showed me that I need to dig up that established some bounds for timing attacks using statistical filtes. Long story short: you can time low microseconds granularity over the Internet, and you can time nanoseconds over a LAN.
Memcmp is just on the threshold of Internet-timeable. And that's memcmp, which screams.
But Internet-timeable is irrelevant, because anyone who wants to time your app is just going to get an account at the same hosting provider as you and wind up a GigE hop or two away. Hosting on Slicehost, EC2, Linode, or GAE? That step took 5 minutes and $20. I'd pay $20 to bust up an app I hadn't even heard of, let alone a popular app.
Suggests 20us over internet, 100ns over lan. Are there more complexities to comparing HMACs than are mentioned in this article? I.e. anything else to think about other than not short-circuiting your comparisons when bytes don't match?
More discussion (including from someone called Nate, presumably the same person tptacek is referring to) at:
Memcmp is just on the threshold of Internet-timeable. And that's memcmp, which screams.
But Internet-timeable is irrelevant, because anyone who wants to time your app is just going to get an account at the same hosting provider as you and wind up a GigE hop or two away. Hosting on Slicehost, EC2, Linode, or GAE? That step took 5 minutes and $20. I'd pay $20 to bust up an app I hadn't even heard of, let alone a popular app.