Yes but I imagine that Ruby returns false on the first mismatch. So

abcdefg
abcd1ab

will return false when it compares f to a

but

1abcef
2acvbf

will return false when it compares 1 to 2, so it leaks how many correct 
bytes an attacker who can measure the time to compare the length has 
guessed to the attacker. With Python this compare behavior has 
apparently led to attacks against cryptographic systems that use it, and 
from what I hear it is likely that Ruby also does not have a 
cryptographically secure compare method.

The way I attempt to solve this in the above code examples, is by 
comparing stings on a byte by byte basis but not returning true or false 
until all bytes of each string have been compared. But are there other 
timing variations I am missing in the examples? I was told that Ruby 
probably can not do timing side channel secure compares of strings, but 
I would like to confirm that here.

-- 
Posted via http://www.ruby-forum.com/.