Exposing private information by timing web applications
Authors: A. Bortz, D. Boneh, and P. Nandy
Abstract:
We show that the time web sites take to respond to HTTP requests can
leak private information, using two different types of attacks. The
first, direct timing directly measures response times from a web
site to expose private information such as validity of an username at a
secured site or the number of private photos in a publicly
viewable gallery. The second, cross-site timing enables
a malicious web site to obtain information from the user's perspective at
another site. For example, a malicious site can learn if the user is
currently logged in at a victim site and, in some cases, the number of
objects in the user's shopping cart. Our experiments suggest that
these timing vulnerabilities are wide-spread. We explain in detail how
and why these attacks work, and discuss methods for writing web application
code that resists these attacks.
Reference:
In proceedings of the 16th International Conference on World Wide Web,
WWW 2007, ACM 2007, pp. 621-628
Full paper: pdf [first posted 3/2007 ]