Proceedings of the 7th ACM conference on Computer and communications security
Remote timing attacks are practical
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Improving Brumley and Boneh timing attack on unprotected SSL implementations
Proceedings of the 12th ACM conference on Computer and communications security
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
The ND2DB attack: database content extraction using timing attacks on the indexing algorithms
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
Do strong web passwords accomplish anything?
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Opportunities and Limits of Remote Timing Attacks
ACM Transactions on Information and System Security (TISSEC)
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
ACM Transactions on Information and System Security (TISSEC)
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
A dynamic privacy model for web services
Computer Standards & Interfaces
Predictive black-box mitigation of timing channels
Proceedings of the 17th ACM conference on Computer and communications security
Abusing social networks for automated user profiling
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Application-level reconnaissance: timing channel attacks against antivirus software
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Abusing locality in shared web hosting
Proceedings of the Fourth European Workshop on System Security
Predictive mitigation of timing channels in interactive systems
Proceedings of the 18th ACM conference on Computer and communications security
Language-based control and mitigation of timing channels
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Addressing covert termination and timing channels in concurrent information flow systems
Proceedings of the 17th ACM SIGPLAN international conference on Functional programming
WAFFle: fingerprinting filter rules of web application firewalls
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
CacheKeeper: a system-wide web caching service for smartphones
Proceedings of the 2013 ACM international joint conference on Pervasive and ubiquitous computing
Cross-origin pixel stealing: timing attacks using CSS filters
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Flow stealing: A well-timed redirection attack
Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends
Hi-index | 0.00 |
We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.