Same page merging reportedly uses a hash to evaluate if a page is the
   same.

   While I’m unclear on what hash is used and there is some mention of
   SHA-1 on various things written about it, it is possible that a timing
   attack could be used if a colliding hash exists, but the data it self
   varies in the last portion of the page. A keyed hash, with a randomly
   chosen key at the time of evaluation, could be used. There would be no
   need for HMAC because the length of the data is fixed (although length
   extension attacks appear to be a protocol issue).

   It is also possible that the hash evaluation is vulnerable to a timing
   attack, which can be a separate issue.