Repost: Accedentialy forgot to CC this to the mailing list. >> Unfortunately, this leaks whether a repository exists. If Company XYZ >> has a repository for each of its clients, it then becomes easy to see if >> Company XYZ is doing work for a particular client by trying to see if a >> repository exists. > > I wonder how many hosting providers are confident that the code involved > in this isn't vulnerable to a timing attack. > > I would say "not very certain" in the case of GitHub. I don't recall any > analysis of the timing ever having happened. I have to agree with this... It's certainly a risk, but if an attacker has enough information to guess the repository names/URLs without triggering a rate limiter, they already have a pretty good idea who Company XYZ is likely working for, and what on. HP.
