Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing timing attacks on the web @ Fronteers Jam 2016

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

Mathias Bynens

October 06, 2016
Tweet

More Decks by Mathias Bynens

Other Decks in Technology

Transcript

  1. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE

    View full-size slide

  2. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE
    https://mths.be/bvs

    View full-size slide

  3. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE

    View full-size slide

  4. @mathias
    30 ms

    View full-size slide

  5. @mathias
    15 ms

    View full-size slide

  6. @mathias
    HEIST

    View full-size slide

  7. @mathias
    HTTP

    View full-size slide

  8. @mathias
    HTTP
    Encrypted

    View full-size slide

  9. @mathias
    HTTP
    Encrypted
    Information can be

    View full-size slide

  10. @mathias
    HTTP
    Encrypted
    Information can be
    Stolen through

    View full-size slide

  11. @mathias
    HTTP
    Encrypted
    Information can be
    Stolen through
    TCP windows

    View full-size slide

  12. @mathias
    mths.be/bvo

    View full-size slide

  13. @mathias
    “HEIST is a set of techniques that exploit timing side-channels in the
    browser […] to determine whether a response fitted into a single TCP
    window or whether it needed multiple. […] an attacker can determine
    the exact amount of bytes that were needed to send the response back
    to the client, all from within the browser. It so happens to be that
    knowing the exact size of a cross-origin resource is just what you need to
    launch a compression-based attack, which can be used to extract
    content (e.g. CSRF tokens) from any website using gzip compression.”

    View full-size slide

  14. @mathias
    “HEIST is a set of techniques that exploit timing side-channels in the
    browser […] to determine whether a response fitted into a single TCP
    window or whether it needed multiple. […] an attacker can determine
    the exact amount of bytes that were needed to send the response back
    to the client, all from within the browser. It so happens to be that
    knowing the exact size of a cross-origin resource is just what you need to
    launch a compression-based attack, which can be used to extract
    content (e.g. CSRF tokens) from any website using gzip compression.”

    View full-size slide

  15. @mathias
    PREVENTION

    View full-size slide

  16. @mathias
    SAME-SITE COOKIES

    View full-size slide

  17. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

    View full-size slide

  18. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

    View full-size slide

  19. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

    View full-size slide

  20. @mathias
    BLOCK THIRD-PARTY !!!

    View full-size slide

  21. @mathias
    THANKS!
    Front-End Performance — The Dark Side Ep. I: mths.be/bvs
    HEIST: mths.be/bvp
    Introduction to Same-Site cookies: mths.be/bvq

    View full-size slide