Comments (5)
Doesn't timing-attacks
require physical access to the cpu that's parsing the data?
In that case isn't it a bit useless as you would practically have access to everything already?
I am probably missing something important though as it probably exists for a reason.
from cookie-rs.
Doesn't
timing-attacks
require physical access to the cpu that's parsing the data?
No. Timing attacks over the network (or any medium) are just as readily achieved.
from cookie-rs.
oh, had no idea that was practical, would have thought the differences around it (NIC buffering, routers, switches etc),
would make the range so big that it would be impractical decipher it.
It seems these techniques are more advanced than i thought.
In that case my take on this is to have it as an option (if the performance difference is "big").
And then give some practical example in the documentation on when the user should consider using the securer method/feature compared to the faster basic one:)
from cookie-rs.
Exploiting sidechannels as a network-based attacker is possible. It usually involves a fairly noisy attack which is repeated over and over many times (e.g. millions of times) combined with statistical methods to observe timing variabilities. Such attacks have been used in the past for full plaintext recovery against protocols like TLS e.g. Lucky13 (great paper if you want to see how such attacks work).
However, the most practical attack against a Base64 decoder/encoder is probably going to be a local microarchitectural sidechannel. Such sidechannels have been used in a research setting to recover Base64-encoded cryptographic keys and could still be possible against e.g. a local webserver (possibly on a cotenant container or VM): https://arxiv.org/pdf/2108.04600.pdf
from cookie-rs.
Closing with my commentary at #196 (comment).
from cookie-rs.
Related Issues (20)
- Nightly detection does not take into account whether features can actually be used HOT 9
- Panic when verifying malformed signed cookie HOT 2
- Parse multiple cookies in single string? HOT 1
- 0.16 release HOT 3
- Iterator over all cookies from string HOT 1
- Removing cookies by name HOT 4
- Private, signed & key methods missing
- Why was ring removed? HOT 1
- Commas are not encoded correctly
- Cookie builder doesn't ignore leading dots (as the `FromStr` implementation does) HOT 4
- Use `std::time::Duration` instead of `time::duration::Duration` for `max-age` HOT 1
- Trait bound error after upgrading to 0.17.0 HOT 1
- Support for `__Host-` cookies HOT 4
- Set Removal Cookies SameSite to Lax HOT 3
- Question : SignedJar::verify_result HOT 2
- aes-gcm vulnerability HOT 1
- Additional Message Data for signing only. HOT 3
- Does cookie-rs support cookie "Partitioned" yet, please? HOT 1
- Custom Extensions in the Set-Cookie String
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-rs.