Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing timing attacks on the web @ Fronteers Jam 2016

Mathias Bynens
October 06, 2016
Technology
3
190

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

Mathias Bynens

October 06, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
440
V8 internals for JavaScript developers
mathiasbynens
1
690
What’s new in ES2018?
mathiasbynens
1
89
V8 internals for JavaScript developers
mathiasbynens
0
100
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
280
Hacking with Unicode in 2016
mathiasbynens
14
14k
Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016
mathiasbynens
15
57k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
820
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
29k

Other Decks in Technology

See All in Technology
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
100
反実仮想機械学習とは何か
usaito
PRO
7
2.5k
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
人間の尊厳、幸福、アクセシビリティ / 第116回「WEB TOUCH MEETING」アクセシビリティSP
nulabinc
PRO
2
180
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
3
100
Postman v10リリース後を振り返る
nagix
0
140
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
4
310
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
110
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
100
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
200
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
The Pragmatic Product Professional
lauravandoore
24
5.8k
Typedesign – Prime Four
hannesfritz
36
2.1k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
The Cult of Friendly URLs
andyhume
74
5.7k
Designing the Hi-DPI Web
ddemaree
276
33k
Optimizing for Happiness
mojombo
370
69k
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
The Invisible Side of Design
smashingmag
294
49k
Raft: Consensus for Rubyists
vanstee
132
6.2k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Optimising Largest Contentful Paint
csswizardry
7
2.3k

Transcript

  1. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  2. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE https://mths.be/bvs

  3. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  4. @mathias

  5. @mathias

  6. @mathias

  7. @mathias 30 ms

  8. @mathias

  9. @mathias 15 ms

  10. @mathias

  11. @mathias

  12. @mathias

  13. @mathias

  14. @mathias HEIST

  15. @mathias

  16. @mathias HTTP

  17. @mathias HTTP Encrypted

  18. @mathias HTTP Encrypted Information can be

  19. @mathias HTTP Encrypted Information can be Stolen through

  20. @mathias HTTP Encrypted Information can be Stolen through TCP windows

  21. @mathias mths.be/bvo

  22. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  23. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  24. @mathias PREVENTION

  25. @mathias SAME-SITE COOKIES

  26. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  27. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  28. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

  29. @mathias BLOCK THIRD-PARTY !!!

  30. @mathias

  31. @mathias THANKS! Front-End Performance — The Dark Side Ep. I:

    mths.be/bvs HEIST: mths.be/bvp Introduction to Same-Site cookies: mths.be/bvq