W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Paul McMillan <paul@mcmillan.ws>
Date: Wed, 5 Oct 2011 17:08:36 -0700
Message-ID: <CAO_YWRVaQVTcEnVLvJpvyC42tyX5rBnjpky4Xamp2Dmzzwe=_w@mail.gmail.com>
To: Billy Hoffman <billy@zoompf.com>
Cc: Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
> The perf guy in me love it. The whitehat in me hates it.

Indeed. It provides precisely the tools necessary to build
sophisticated timing attacks against vulnerable intranet applications.
I expect these capabilities will be on-par with custom native code
attack tools. This addition greatly widens an existing hole in the
firewall. Granted, intranet applications should be secure enough to
deploy in a public facing environment, but they very rarely are. The
usual refrain is that the almighty firewall will save us, and making
them secure is too expensive.

Timing attacks are not as well known as they should be, and most
developers view them as a theoretical nuisance at worst. Adding this
feature will shift the balance in favor of the attackers. These are
not simple privacy attacks. Very often a successful timing attack
allow attackers to forge authentication tokens and can lead to remote
code execution.

I expect this addition to vastly improve the capabilities of BeEF.
http://beefproject.com/

Generally, this will provide the granularity necessary to pivot timing
attacks through the firewall using only the browser, where this was
not practical before.

Some resources related to the issue:
http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
http://rdist.root.org/2010/11/09/blackhat-2010-video-on-remote-timing-attacks/
http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf

The part of me that builds exploits encourages you to add this feature
as soon as possible! The rest of me is very afraid.

-Paul
Received on Thursday, 6 October 2011 00:09:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 6 October 2011 00:09:34 GMT