Timing attack? What’s that about?

September 8, 2009

If you are wondering, like me, what was the “timing attack” fix update in the latest 2.3.4 for, you can read this post here. Basically, if a comparison is made between two strings, it’s done one character at a time, and it stops when the first differing character is encountered. Therefore a potential hacker could measure how much time it takes to check a cookie hash to see if it’s correct or not.

It all seems far fetched, given that surely there must be the overhead in terms of routing from attacker’s PC to your server and Internet Protocol actually works that way that the packets are sent using different nodes, but there are guys who think it’s practical. It’s claimed that most Java programs are exposed under this theoretical vulnerability, so it’s actually not a problem particular to Rails.

However, the bad news about this 2.3.4 patch is that it doesn’t work under Ruby 1.9.1.

Entry Filed under: Uncategorized. Tags: , .

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Recent posts

Starting to learn Rails?

Here are 3 books that you need to read:
1 - The Ruby Programming Language
2 - Agile Web Development with Rails, Third Edition
3 - Programming Ruby 1.9: The Pragmatic Programmers' Guide (Facets of Ruby)
This is really (almost) all you need

Archive

Recent comments

gogetakame on Installing Rails on Windows (3…
gogetakame on Installing Rails on Windows (3…
allaboutruby on Installing Rails on Windows (3…
Harsha on Installing Rails on Windows (3…
Eddy Josafat on Google Maps API in Rails (YM4R…