Team for Research in
Ubiquitous Secure Technology

• Exposing private information by timing web applications

Citation
"• Exposing private information by timing web applications". A. Bortz, D. Boneh, and P. Nandy (eds.), 16th International Conference on World Wide Web, 2007.

Abstract
We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.

Electronic downloads

Citation formats  
  • HTML
     <a
    href="http://www.truststc.org/pubs/591.html"
    ><i>•	Exposing private information by
    timing web applications</i></a>, A. Bortz, D.
    Boneh, and P. Nandy (eds.), 16th International Conference on
    World Wide Web, 2007.
  • Plain text
     "•	Exposing private information by timing
    web applications". A. Bortz, D. Boneh, and P. Nandy
    (eds.), 16th International Conference on World Wide Web,
    2007.
  • BibTeX
    @proceedings{BortzBonehNandy07_ExposingPrivateInformationByTimingWebApplications,
        title = {•	Exposing private information by timing web
                  applications},
        editor = {A. Bortz, D. Boneh, and P. Nandy},
        organization = {16th International Conference on World Wide Web},
        year = {2007},
        abstract = {We show that the time web sites take to respond to
                  HTTP requests can leak private information, using
                  two different types of attacks. The first, direct
                  timing directly measures response times from a web
                  site to expose private information such as
                  validity of an username at a secured site or the
                  number of private photos in a publicly viewable
                  gallery. The second, cross-site timing enables a
                  malicious web site to obtain information from the
                  user's perspective at another site. For example, a
                  malicious site can learn if the user is currently
                  logged in at a victim site and, in some cases, the
                  number of objects in the user's shopping cart. Our
                  experiments suggest that these timing
                  vulnerabilities are wide-spread. We explain in
                  detail how and why these attacks work, and discuss
                  methods for writing web application code that
                  resists these attacks. },
        URL = {http://www.truststc.org/pubs/591.html}
    }
    

Posted by Jessica Gamble on 13 Mar 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.