Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing timing attacks on the web @ Fronteers Jam 2016

Mathias Bynens
October 06, 2016
Technology
3
170

Preventing timing attacks on the web @ Fronteers Jam 2016

Back in April, I gave a scary talk about timing attacks at the very first Fronteers Spring Conference (https://dev.opera.com/blog/timing-attacks/). Since then, a new web technology has emerged that enables developers to prevent timing attacks from targeting their websites.

Mathias Bynens

October 06, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
400
V8 internals for JavaScript developers
mathiasbynens
1
620
What’s new in ES2018?
mathiasbynens
1
66
V8 internals for JavaScript developers
mathiasbynens
0
65
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
250
Hacking with Unicode in 2016
mathiasbynens
14
14k
Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016
mathiasbynens
15
56k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
760
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
28k

Other Decks in Technology

See All in Technology
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
300
Spring Boot 3.0へのアップデートのハマり所 / Findings in Migrating our Application to Spring Boot 3.0
line_developers
PRO
4
410
自分のデータは自分で守る - あなたのCI/CDパイプラインをセキュアにする処方箋
jacopen
4
220
Swift 開発が楽になる道具たち
megabitsenmzq
1
290
開発チーム内でのQAの役割
iseki
0
100
Linuxのブロックデバイス
sat
PRO
4
1.6k
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher" エラーが発生する原因と対策
superbrothers
0
370
CloudFront + S3環境から Cloudflare R2 + Workers環境に移行した話
teckl
3
1.3k
作って理解するバックドア
ad5jp
0
210
S3からBigQueryへ閉域ネットワーク経由でデータ転送する方法
sbtechnight
PRO
0
370
また(CDK界隈の)世界を縮めてしまった
bun913
0
400
開幕LT
makamaka
0
360

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
36
11k
Optimizing for Happiness
mojombo
366
65k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
Adopting Sorbet at Scale
ufuk
65
7.9k
Mobile First: as difficult as doing things right
swwweet
213
7.9k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Become a Pro
speakerdeck
PRO
6
3.3k
Infographics Made Easy
chrislema
236
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k

Transcript

  1. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE

    View Slide

  2. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE
    https://mths.be/bvs

    View Slide

  3. @mathias
    THE DARK SIDE: EPISODE II
    FRONT-END PERFORMANCE

    View Slide

  4. @mathias

    View Slide

  5. @mathias

    View Slide

  6. @mathias

    View Slide

  7. @mathias
    30 ms

    View Slide

  8. @mathias

    View Slide

  9. @mathias
    15 ms

    View Slide

  10. @mathias

    View Slide

  11. @mathias

    View Slide

  12. @mathias

    View Slide

  13. @mathias

    View Slide

  14. @mathias
    HEIST

    View Slide

  15. @mathias

    View Slide

  16. @mathias
    HTTP

    View Slide

  17. @mathias
    HTTP
    Encrypted

    View Slide

  18. @mathias
    HTTP
    Encrypted
    Information can be

    View Slide

  19. @mathias
    HTTP
    Encrypted
    Information can be
    Stolen through

    View Slide

  20. @mathias
    HTTP
    Encrypted
    Information can be
    Stolen through
    TCP windows

    View Slide

  21. @mathias
    mths.be/bvo

    View Slide

  22. @mathias
    “HEIST is a set of techniques that exploit timing side-channels in the
    browser […] to determine whether a response fitted into a single TCP
    window or whether it needed multiple. […] an attacker can determine
    the exact amount of bytes that were needed to send the response back
    to the client, all from within the browser. It so happens to be that
    knowing the exact size of a cross-origin resource is just what you need to
    launch a compression-based attack, which can be used to extract
    content (e.g. CSRF tokens) from any website using gzip compression.”

    View Slide

  23. @mathias
    “HEIST is a set of techniques that exploit timing side-channels in the
    browser […] to determine whether a response fitted into a single TCP
    window or whether it needed multiple. […] an attacker can determine
    the exact amount of bytes that were needed to send the response back
    to the client, all from within the browser. It so happens to be that
    knowing the exact size of a cross-origin resource is just what you need to
    launch a compression-based attack, which can be used to extract
    content (e.g. CSRF tokens) from any website using gzip compression.”

    View Slide

  24. @mathias
    PREVENTION

    View Slide

  25. @mathias
    SAME-SITE COOKIES

    View Slide

  26. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

    View Slide

  27. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=strict

    View Slide

  28. @mathias
    Set-Cookie: key=value; HttpOnly; secure; SameSite=lax

    View Slide

  29. @mathias
    BLOCK THIRD-PARTY !!!

    View Slide

  30. @mathias

    View Slide

  31. @mathias
    THANKS!
    Front-End Performance — The Dark Side Ep. I: mths.be/bvs
    HEIST: mths.be/bvp
    Introduction to Same-Site cookies: mths.be/bvq

    View Slide