Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing timing attacks on the web @ Fronteer...

Mathias Bynens
October 06, 2016
Technology
3
210

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

Mathias Bynens

October 06, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
470
V8 internals for JavaScript developers
mathiasbynens
1
750
What’s new in ES2018?
mathiasbynens
1
110
V8 internals for JavaScript developers
mathiasbynens
0
130
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
350
Hacking with Unicode in 2016
mathiasbynens
14
14k
Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016
mathiasbynens
15
57k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
900
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
29k

Other Decks in Technology

See All in Technology
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
Taming you application's environments
salaboy
0
180
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
170
いざ、BSC討伐の旅
nikinusu
2
780
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
360
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
169
14k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Become a Pro
speakerdeck
PRO
25
5k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
The Language of Interfaces
destraynor
154
24k
Adopting Sorbet at Scale
ufuk
73
9.1k
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  2. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE https://mths.be/bvs

  3. @mathias THE DARK SIDE: EPISODE II FRONT-END PERFORMANCE

  4. @mathias

  5. @mathias

  6. @mathias

  7. @mathias 30 ms

  8. @mathias

  9. @mathias 15 ms

  10. @mathias

  11. @mathias

  12. @mathias

  13. @mathias

  14. @mathias HEIST

  15. @mathias

  16. @mathias HTTP

  17. @mathias HTTP Encrypted

  18. @mathias HTTP Encrypted Information can be

  19. @mathias HTTP Encrypted Information can be Stolen through

  20. @mathias HTTP Encrypted Information can be Stolen through TCP windows

  21. @mathias mths.be/bvo

  22. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  23. @mathias “HEIST is a set of techniques that exploit timing

    side-channels in the browser […] to determine whether a response fitted into a single TCP window or whether it needed multiple. […] an attacker can determine the exact amount of bytes that were needed to send the response back to the client, all from within the browser. It so happens to be that knowing the exact size of a cross-origin resource is just what you need to launch a compression-based attack, which can be used to extract content (e.g. CSRF tokens) from any website using gzip compression.”

  24. @mathias PREVENTION

  25. @mathias SAME-SITE COOKIES

  26. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  27. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

  28. @mathias Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

  29. @mathias BLOCK THIRD-PARTY !!!

  30. @mathias

  31. @mathias THANKS! Front-End Performance — The Dark Side Ep. I:

    mths.be/bvs HEIST: mths.be/bvp Introduction to Same-Site cookies: mths.be/bvq