- From: Paul McMillan <paul@mcmillan.ws>
- Date: Wed, 5 Oct 2011 17:08:36 -0700
- To: Billy Hoffman <billy@zoompf.com>
- Cc: Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
> The perf guy in me love it. The whitehat in me hates it. Indeed. It provides precisely the tools necessary to build sophisticated timing attacks against vulnerable intranet applications. I expect these capabilities will be on-par with custom native code attack tools. This addition greatly widens an existing hole in the firewall. Granted, intranet applications should be secure enough to deploy in a public facing environment, but they very rarely are. The usual refrain is that the almighty firewall will save us, and making them secure is too expensive. Timing attacks are not as well known as they should be, and most developers view them as a theoretical nuisance at worst. Adding this feature will shift the balance in favor of the attackers. These are not simple privacy attacks. Very often a successful timing attack allow attackers to forge authentication tokens and can lead to remote code execution. I expect this addition to vastly improve the capabilities of BeEF. http://beefproject.com/ Generally, this will provide the granularity necessary to pivot timing attacks through the firewall using only the browser, where this was not practical before. Some resources related to the issue: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ http://rdist.root.org/2010/11/09/blackhat-2010-video-on-remote-timing-attacks/ http://www.cs.rice.edu/~dwallach/pub/crosby-timing2009.pdf The part of me that builds exploits encourages you to add this feature as soon as possible! The rest of me is very afraid. -Paul
Received on Thursday, 6 October 2011 00:09:34 UTC