Pro Yearly is on sale from $80 to $50! »

Preventing timing attacks on the web @ Fronteers Jam 2016

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

24e08a9ea84deb17ae121074d0f17125?s=128

Mathias Bynens

October 06, 2016
Tweet

Transcript

  1. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  2. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE https://mths.be/bvs

  3. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  4. @mathias

  5. @mathias

  6. @mathias

  7. @mathias 30 ms

  8. @mathias

  9. @mathias 15 ms

  10. @mathias

  11. @mathias

  12. @mathias

  13. @mathias

  14. @mathias HEIST

  15. @mathias

  16. @mathias HTTP

  17. @mathias HTTP Encrypted

  18. @mathias HTTP Encrypted Information can be

  19. @mathias HTTP Encrypted Information can be Stolen through

  20. @mathias HTTP Encrypted Information can be Stolen through TCP windows

  21. @mathias mths.be/bvo

  22. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”
  23. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”
  24. @mathias PREVENTION

  25. @mathias SAME-SITE COOKIES

  26. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  27. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  28. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

  29. @mathias BLOCK THIRD-PARTY !!!

  30. @mathias

  31. @mathias THANKS! Front-End Performance — The Dark Side Ep. I:

    mths.be/bvs HEIST: mths.be/bvp Introduction to Same-Site cookies: mths.be/bvq