Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "timing attacks"
-
What do you do when your redirect doesn’t go where you tell it?
Clearly I’m missing something.
I stepped through the code, following the failure path of Sheogorath’s Recaptcha. It fails as expected, and hits this redirect before doing anything else:
`return redirect_to new_user_session_path`
I verified that this redirects to the “/users/sign_in” path, and it returns so the server doesn’t even try to authenticate the user. It just nopes out as it should to prevent timing attacks.
But somehow instead of doing that and redirecting as it should, it signs the user in and redirects somewhere else entirely: the role select page, which only happens after authenticating an admin user. It never even hits my breakpoint after the recaptcha check! It never authenticates!
I think what I’m missing is my old reality where things made sense.3 -
A new system developed at CSAIL was shown to have stronger security guarantees than Intel's existing approach for preventing so-called "timing attacks" like Meltdown and Spectre, made possible by hardware vulnerabilities.
Image courtesy of Graz University of Technology7 -
I wanna go back to the age where a C program was considered secure and isolated based on its system interface rathe than its speed. I want a future where safety does not imply inefficiency. I hate spectre and I hate that an abstraction as simple and robust as assembly is so leaky that just by exposing it you've pretty much forfeited all your secrets.
And I especially hate that we chose to solve this by locking down everything rather than inventing an abstraction that's a similarly good compile target but better represents CPUs and therefore does not leak.31