An (over)simplified explanation of timing attacks and how to protect yourself
As a developer with an interest in security; every once in...
For further actions, you may consider blocking this person and/or reporting abuse
This made me laugh.
It's like hacking is 1:1 lock picking in digital.
On the one side you have all the math and crypto pros and on the other some people with very practical down to earth solutions.
Someone mentioned the lock-picking analogy to me on Twitter! That's exactly it! :)
This is a good explanation,
But never ever authenticate a client based directly on a string send in plaintext... If I want to impersonate the app like that, I don't need such an attack. Just sniff the traffic of the app. Even easier if there is a web client.
So if that attack poses a threat for your system, please fix the authentication protocol, not only the string compare.
thanks,
What about DB queries ? is this working as well for methods which queries a DB for username and password ?
I tried to find how MySQL does string comparison but I couldn't find an exact answer...
I don't know the technical answer with 100% certainty, but I learned about timing attacks while working on a Rails app that uses ActiveRecord to talk to MySQL database so I assume it applies to DB queries as well.