Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing timing attacks on the web @ Fronteer...

Mathias Bynens
October 06, 2016
Technology
3
210

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

Mathias Bynens

October 06, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
470
V8 internals for JavaScript developers
mathiasbynens
1
750
What’s new in ES2018?
mathiasbynens
1
110
V8 internals for JavaScript developers
mathiasbynens
0
130
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
340
Hacking with Unicode in 2016
mathiasbynens
14
14k
Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016
mathiasbynens
15
57k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
900
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
29k

Other Decks in Technology

See All in Technology
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
160
いざ、BSC討伐の旅
nikinusu
1
460
Intuneお役立ちツールのご紹介
sukank
3
740
QAEチームが辿った3年 ボクらが改善業務にスクラムを選んだワケ / 20241108_cloudsign_ques23
bengo4com
0
580
製造現場のデジタル化における課題とPLC Data to Cloudによる新しいアプローチ
hamadakoji
0
190
株式会社島津製作所_研究開発(集団協業と知的生産)の現場を支える、OSS知識基盤システムの導入
akahane92
1
170
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
"君は見ているが観察していない"で考えるインシデントマネジメント
grimoh
4
1k
マルチモーダルデータ基盤の課題と観点
neonankiti
1
110
ライブラリでしかお目にかかれない珍しい実装
mikanichinose
2
320
徹底比較!HA Kubernetes ClusterにおけるControl Plane LoadBalancerの選択肢
logica0419
2
140
2024年グライダー曲技世界選手権参加報告/2024 WGAC report
jscseminar
0
190

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Writing Fast Ruby
sferik
627
61k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
A Tale of Four Properties
chriscoyier
156
23k
Documentation Writing (for coders)
carmenintech
65
4.4k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Automating Front-end Workflow
addyosmani
1366
200k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
A Philosophy of Restraint
colly
203
16k
The Invisible Side of Design
smashingmag
297
50k

Transcript

  1. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  2. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE https://mths.be/bvs

  3. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  4. @mathias

  5. @mathias

  6. @mathias

  7. @mathias 30 ms

  8. @mathias

  9. @mathias 15 ms

  10. @mathias

  11. @mathias

  12. @mathias

  13. @mathias

  14. @mathias HEIST

  15. @mathias

  16. @mathias HTTP

  17. @mathias HTTP Encrypted

  18. @mathias HTTP Encrypted Information can be

  19. @mathias HTTP Encrypted Information can be Stolen through

  20. @mathias HTTP Encrypted Information can be Stolen through TCP windows

  21. @mathias mths.be/bvo

  22. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  23. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  24. @mathias PREVENTION

  25. @mathias SAME-SITE COOKIES

  26. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  27. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  28. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

  29. @mathias BLOCK THIRD-PARTY !!!

  30. @mathias

  31. @mathias THANKS! Front-End Performance — The Dark Side Ep. I:

    mths.be/bvs HEIST: mths.be/bvp Introduction to Same-Site cookies: mths.be/bvq