OpenSSL fixes High Severity data-stealing bug – patch now!
7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English… Continue reading OpenSSL fixes High Severity data-stealing bug – patch now!
Category Archives: timing-attack
Is there a generic way to prevent HTTP timing attacks for sensitive requests?
If I have sensitive HTTP routes that could be subject to timing attacks (trying to guess an ID, user, etc.), is there a way without modifying the application code that it could be wrapped with a network tweak, proxy, or some other program … Continue reading Is there a generic way to prevent HTTP timing attacks for sensitive requests?
What are best practices for finding an account in a SQL database during authentication? Is using `LIMIT 1` vulnerable to timing attacks?
I have a application where users can log in by providing a username or email address (both case insensitive) and a password. In the users table in the database, the relevant account information is stored in three columns lowercase_usernam… Continue reading What are best practices for finding an account in a SQL database during authentication? Is using `LIMIT 1` vulnerable to timing attacks?
Does this theoretical salted-hash-sleep scheme mitigate timing attacks?
This question is purely theoretical, I have no intention of ever implementing this scheme in practice. I’m familiar with the shortcomings of sleeping as means of mitigating timing attacks. I’m more interested in this from the attacker’s pe… Continue reading Does this theoretical salted-hash-sleep scheme mitigate timing attacks?
How to prevent a timing attack when I do/don’t perform password_verify (depending if the user exists)?
Here is the code which potentially can allow a timing attack
$user = getUserFromDatabase($input_username);
if ($user === false) { // potential timing attack
// user not exist
http_response_code(401);
echo json_encode(["me… Continue reading How to prevent a timing attack when I do/don’t perform password_verify (depending if the user exists)?
Is using a developer key to protect a REST API good practice?
I’d like to implement a RESTful API service over HTTP that developers can call from their server side environments.
I intend to use a cryptographically secure pseudo-random number generator (CSPRNG) to generate keys and then convert the bi… Continue reading Is using a developer key to protect a REST API good practice?
Constant-Time String-to-Byte Encoding for JavaScript
When dealing with cryptographic secrets (private keys, passwords, etc) it is desirable to not run these secrets through functions that do not run in constant time, in order to avoid the potential for side channel attacks. An example of thi… Continue reading Constant-Time String-to-Byte Encoding for JavaScript
Cyptomining on my AWS VPS
I was routinely checking up all my servers, I found a strange process with kthreaddk command running up and taking up all 100% CPU resources. After checking it out I found that www-data (default user for php-fpm) has shell access. so I had… Continue reading Cyptomining on my AWS VPS
Should I be concerned about timing attacks on HTTP service for passwordless signin?
I have an service that accepts an HTTP POST request from the end-user’s browser. The user passes their only email. I intend the server to generate a token and store this in a database, and email them the HMAC’d token as a means of implemen… Continue reading Should I be concerned about timing attacks on HTTP service for passwordless signin?
Should I be concerned about timing attacks on HTTP service for passwordless signin?
I have an service that accepts an HTTP POST request from the end-user’s browser. The user passes their only email. I intend the server to generate a token and store this in a database, and email them the HMAC’d token as a means of implemen… Continue reading Should I be concerned about timing attacks on HTTP service for passwordless signin?