Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
WWW
2007
ACM
2007
ACM
Exposing private information by timing web applications
We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks. Categories and Subject Descriptors K.4.4 [Computers and Society]: Electronic Commerce-Security; K.4.1 [Computers and Society]: Public Poli...
Real-time TrafficInternet Technology | Keywords Web Application | Malicious Web Site | Web Application Code | WWW 2007 |
Related Content
| Added | 22 Nov 2009 |
| Updated | 22 Nov 2009 |
| Type | Conference |
| Year | 2007 |
| Where | WWW |
| Authors | Andrew Bortz, Dan Boneh |
Comments (0)
Researcher Info
|
