Base64 encoding/decoding side-channel
defuse opened this issue · comments
The base64 encoding/decoding leaks information about the hash and salt.
I'm closing this right away as "wontfix" because constant-time base64-encoding isn't easily available in all of our supported languages, and the risk is pretty low.
Just wanted to add: If your threat model includes "an attacker might exploit a side channel on base64 encoding" consider using libsodium.