Hi Sanford,
On 7 February 2014 07:41, Sanford Whiteman
<[email protected]> wrote:
>> If your site is vulnerable to a 'timed attack' then something else
>> is wrong?
>
> It's a valid point: a site that locks out accounts after just a few
> failures is not vulnerable to an attack that requires a considerable
> volume of trials against the same account.
>
> However, even though account lockout policies are common on internal
> networks (where intruders may be physically tracked) not everyone with
> a public website can be so punitive. You are basically publishing a
> DoS recipe if your site works this way. In addition, accounts that are
> whitelisted from being locked out (if any) are usually the most
> sensitive ones.
Yep, that’s the problem. If you need a high volume of requests, delays
will counter you. Timing Attacks don’t necessarily need that high a
volume since it processes one byte at a time instead of all possible
combinations of bytes for a given string. So you can spread the attack
over a much higher time period to compensate and still execute it in a
reasonable time frame.
Of course, it would be nice if the victim cooperated ;).
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative