[WEB SECURITY] quick question on password reset 'best practices'

bugtraq at cgisecurity.net bugtraq at cgisecurity.net
Tue Jun 3 17:25:51 EDT 2008


> > This is a great point Jeremiah - I almost always err on the side of
> > caution and consider any roadblock I can throw in the way of an  
> > attacker
> > a good thing, but in a high volume site I can definitely see a good  
> > case
> > for a less generic response. I wonder if it would be recommended to
> > Sleep() the login process an arbitrary 10 seconds whether it was valid
> > or rejected to take away the timing vector?
> 
> I think it was Robert Auger who recently brought up the question of  
> how to defend against timing attacks on web-based applications and  
> asked how to defend against them. The responses were few and I think  
> indicative of general lack of good ideas on what to do about them. I  
> don't know of any best practices in the webappsec space.

You CAN normalize the response times however this would involve slowing down
legit transactions. You'll also in all likelyhood have to throw more hardware
at this solution in order to handle more concurrent transactions in massive 
environments.

I had sent a post to the list back in may on this topic
http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00008.html
http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00009.html
http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00010.html

Additional Reading:
http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf
http://www.cgisecurity.com/2007/12/08

One things for sure we've barely scratched the surface of timing attacks. I give it
a year or two before it is 'the next big shiny thing' in the appsec industry :) 

Regards,
- Robert
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list