Skip to content
This repository was archived by the owner on Sep 24, 2024. It is now read-only.
This repository was archived by the owner on Sep 24, 2024. It is now read-only.

Authentication example ignore timing attack #3

Open
@Hugo-C

Description

@Hugo-C

Hello,
I am a bit concerned by the example presented.
Indeed the hash function is likely to take some time and therefore even if the email is not leaked by the error message, it is instead leaked by the difference of time the server took to respond.
A better way in my opinion would be to compute an hash in all cases like:

// Validating the existence of a user with the specified email.
const existingUser = await User.findOne({ email });
if (!existingUser) {
    let _ = await bcrypt.compare(password, "fake password used to counter timing attack");
    return res
        .status(401)
        .json({ errorMessage: "Invalid email or password." });
}

// Validating the password attributed to that User object with the passwordHash
// from the database.
const passwordCorrect = await bcrypt.compare(password, existingUser.passwordHash);
if (!passwordCorrect) {
    return res
        .status(401)
        .json({ errorMessage: "Invalid email or password." });
}

I understand the extra line can undermine the point about error messsages which is the crucial first step, but I feel like at least an extra note about it should be added at the end.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions