psiphon

Possible probing attack using login failure

Bug #457434 reported by root on 2009-05-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	psiphon	Confirmed	Unknown	Unassigned

Bug Description

Login exams take longer if you put in a wrong password. It's important to figure out if this could be used as a probe for valid user id's since the system's behaviour is contingent on valid email address.

Tags:

Revision history for this message

root (n-root-psiphon-ca) wrote on 2009-05-21:

Ithink the feature you're referring to is the growing login delay on invalid password for valid username/email.

This delay doesn't give an attacker any indication that they entered a correct email vs. invalid email (wrong password both cases) because the delay is not in the response with an error message, but in the future time a subsequent login can succeed. In other words, in both cases the attacker gets an instant response with the same error message.

It's true that the valid email case will cause an additional "update" SQL statement to execute (the delay time is incremented). This is on top of a couple other queries in both cases, and taking network time into consideration, I would guess this would be difficult to measure.

So, leaving this here but lowering priority.

Adam P (adam+) on 2009-10-29

Changed in psiphon:
status:	New → Confirmed

Rod (rod-psiphon) on 2009-11-24

visibility:

private → public

Rod (rod-psiphon) on 2010-05-06

tags:

added: category3

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.