←back to thread

Listen to the whispers: web timing attacks that work

(portswigger.net)
178 points saikatsg | 2 comments | 21 Nov 24 18:08 UTC | HN request time: 0.398s | source
Show context
biosboiii ◴[21 Nov 24 23:24 UTC] No.42209725[source]
I did some research few weeks ago on the topic of database lookup timing side-channels, conclusion is: They don't really exist (for SELECT FROM WHERE commands atleast). https://altayakkus.substack.com/p/timing-side-channel-on-sql...
replies(1): >>42212742 #
1. Sjoerd ◴[22 Nov 24 10:49 UTC] No.42212742[source]
I came to the same conclusion. Many string comparison implementations don't actually compare one character at a time. In one case strcmp seemed to compare eight characters at a time, so you would need to guess eight characters correctly to get a time difference. Glibc memcmp can compare 32 bytes at a time. In C# the timing of string compare depends on whether it does Unicode normalization or not. Even then, the difference is less than a nanosecond per compared character. It is not as straightforward that every string comparison between sensitive data and user input is at risk of timing attacks.

https://www.sjoerdlangkemper.nl/2024/05/29/string-comparison...

replies(1): >>42214178 #
2. albinowax_ ◴[22 Nov 24 14:39 UTC] No.42214178[source]
I love this, thanks for sharing. When I failed to get a measurable time difference myself I was worried I might just be doing something wrong and it'd get flagged the moment I published my research, so it's great to get confirmation from other people.