/dev/ptmx timing

[vladz <vladz () devzero fr>]

Hi list,

I noticed that it was possible to measure inter-keystrokes timing thanks
to the /dev/ptmx character device.  Any local user that is using
pseudo-terminal can be targeted.

As it may also be used to disclose sensible information such as password
length, I was wondering if it should be treat as a security issue?                      

Description + PoC: http://vladz.devzero.fr/013_ptmx-timing.php.

No sure right now but I think the only way to solve this is to modify
the pts handling at kernel level.  Any opinions on that?

Thanks,
vladz.