Get the latest tech news
Fun with Timing Attacks (2024)
Guess secrets in your browser by timing some stuff!
Luckily, due to the Central Limit Theorem, we can assume that samples from time(checkSecretNTimes(guess)) are approximately normal with mean \(N \cdot \mu\) as long as N is sufficiently large. Running this algorithm against a much noisier distribution is much slower so isn’t as conducive to an inline demo but if there’s interest, I may host an endpoint with a vulnerable checkSecret to see who can break it first! Even the=== operator is likely to be vulnerable given enough trials if you’re careful about avoiding string interning that leads to constant-time comparison (I couldn’t get this working, but I’d be curious to see if anyone can.)
Or read this on Hacker News