fun signersMustHaveCaBitSet() {
    val attackerCa =
      HeldCertificate
        .Builder()
        .serialNumber(1L)
        .certificateAuthority(4)
        .commonName("attacker ca")
        .build()
    val attackerIntermediate =
      HeldCertificate
        .Builder()
        .serialNumber(2L)
        .certificateAuthority(3)
        .commonName("attacker")
        .signedBy(attackerCa)

### Hardware attacks

Physical GPUs or TPUs can also be the target of attacks. [Published
research](https://scholar.google.com/scholar?q=gpu+side+channel) shows that it
might be possible to use side channel attacks on the GPU to leak data from other
running models or processes in the same system. GPUs can also have
implementation bugs that might allow attackers to leave malicious code running

	if err != nil || numEntries < 0 || int(2*numEntries) < int(numEntries) {
		return nil, ErrHeader
	}

	// Parse for all member entries.
	// numEntries is trusted after this since a potential attacker must have
	// committed resources proportional to what this library used.
	if err := feedTokens(2 * numEntries); err != nil {
		return nil, err
	}
	spd := make(sparseDatas, 0, numEntries)

    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And they send a request with a username `johndoe` and a password `love123`.

    @Nonnull
    Optional<Path> getPath(@Nonnull Project project);

    /**
     * Returns an immutable collection of attached artifacts for the given project.
     * Attached artifacts are secondary artifacts produced during the build (e.g., sources jar,
     * javadoc jar, test jars). These artifacts are created and attached during specific
     * lifecycle phases, so the collection contents depend on the build phase when this method
     * is called.

  fun headers(name: String): List<String> = headers.values(name)

  /** Returns the tag attached with [T] as a key, or null if no tag is attached with that key. */
  @JvmName("reifiedTag")
  inline fun <reified T : Any> tag(): T? = tag(T::class)

  /** Returns the tag attached with [type] as a key, or null if no tag is attached with that key. */
  fun <T : Any> tag(type: KClass<T>): T? = type.java.cast(tags[type])

  /**

        Please open Android-related issues on [the Android Issue Tracker](https://source.android.com/source/report-bugs)
        Please open IntelliJ-related issues on [the JetBrains Issue Tracker](https://youtrack.jetbrains.com/newIssue?project=IDEA)

    # Return some error
    ...
```

Pero al usar `secrets.compare_digest()` será seguro contra un tipo de ataques llamados "timing attacks".

### Timing Attacks

¿Pero qué es un "timing attack"?

Imaginemos que algunos atacantes están tratando de adivinar el nombre de usuario y la contraseña.

Y envían un request con un nombre de usuario `johndoe` y una contraseña `love123`.

By default, OkHttp trusts the certificate authorities of the host platform. This strategy maximizes connectivity, but it is subject to certificate authority attacks such as the [2011 DigiNotar attack](https://www.computerworld.com/article/2510951/cybercrime-hacking/hackers-spied-on-300-000-iranians-using-fake-google-certificate.html). It also assumes your HTTPS servers’ certificates are signed by a certificate authority.

		return errServerNotInitialized
	}

	started := tracker.Started
	if started.IsZero() || started.Equal(timeSentinel) {
		healingLogIf(ctx, fmt.Errorf("unexpected tracker healing start time found: %v", started))
		started = time.Time{}
	}

	// Final tracer update before quitting
	defer func() {
		tracker.setObject("")
		tracker.setBucket("")
		healingLogIf(ctx, tracker.update(ctx))
	}()