As the name implies, a timing attack is an technique that uses timing to infer some knowledge that you shouldn’t normally have access to.

Since computers are fundamentally predictable, and everything about them is based off timing and available resources, we can glean a lot of knowledge by simply measuring how long it takes to complete a request.

If you’ve got kids you’ll be familiar with the “brush your teeth” dance we play each day: you ask them to go brush their teeth, they spend exactly 5 milliseconds in the bathroom, and then can’t understand why you know they haven’t brushed their teeth yet!
(My 5 year old hasn’t figured out he needs to wait a bit, while my 9 year old will go read a book or something and take even longer…)

We’ve talked about User Enumeration before, including common ways of hiding the existence of a valid email address, and it’s a good frame for discussing timing attacks, but they aren’t just limited to user enumeration. I’ll provide some more examples after we work through the process for password resets.

Password Resets

It’s typical for password resets to display a status message which either confirms the provided email address is valid, or displays an “unknown email” message. It is the default behaviour in Laravel, and in most cases it is a perfectly acceptable solution.

However, if you do need to prevent enumeration of email addresses through a forgotten password form, a common way to do so is to display the same message, regardless of the success of the request, in response to form submission. That way the user doesn’t know if the email address is valid or not.

Consider the difference between these two email addresses: