From e974d85cf503aa8da8844d8555c8b843def9f590 Mon Sep 17 00:00:00 2001 From: Nabil Kadimi Date: Mon, 23 Oct 2023 08:15:08 +0100 Subject: [PATCH] Fix small typo (#26) --- docs/secure_coding_and_deployment_hardening/timing_attacks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/secure_coding_and_deployment_hardening/timing_attacks.md b/docs/secure_coding_and_deployment_hardening/timing_attacks.md index 789b427..ffcda95 100644 --- a/docs/secure_coding_and_deployment_hardening/timing_attacks.md +++ b/docs/secure_coding_and_deployment_hardening/timing_attacks.md @@ -15,7 +15,7 @@ next: Pattern-matching is a powerful feature of the BEAM platform. Over the years the compiler and runtime have seen numerous performance improvements, often involving reordering or restructuring the patterns that appear in the source code. Measuring the response time of an application that uses pattern matching can reveal details about the values or data structures the application is expecting. An attacker might be able to use this information to drastically reduce the number of attempts needed to achieve a certain result, compared to a brute-force approach. -The following functions compare a received cookie value versus the expected values in the current session. The first function uses pattern matching to determine if the receive value matches the expected value. Pattern matching uses a variable-time equality algorithm to detect differences. For example, if the first bytes of the two values differ, the equality check fails without testing subsequent bytes. Attackers can statistically analyze the time it took for compare two values and eventually infer the expected value. +The following functions compare a received cookie value versus the expected values in the current session. The first function uses pattern matching to determine if the received value matches the expected value. Pattern matching uses a variable-time equality algorithm to detect differences. For example, if the first bytes of the two values differ, the equality check fails without testing subsequent bytes. Attackers can statistically analyze the time it took for compare two values and eventually infer the expected value. ```erlang %% Erlang