[FEATURE REQUEST] Prevent timing attacks to detect valid emails #1026
Comments
|
Are you using stable or latest? Latest has a 3 second pause before responding, which should be enough (unless the attacker starts using precise timing and statistics based attacks, but that seems unlikely). |
|
Couldn't it just spawn a thread in the background that does the email sending, so that you can't really do timing attacks? I static 3s delay will not stop much. |
|
i am not sure on which version i am, i just installed from the apt-get repo so i think its stable
|
|
There was a new release yesterday, so as soon as it makes its way to the repository, you'll have a newer version to play with which definitely will include the 3s delay. Would that solve your problem? |
|
@janwever the package repository now contains the recent release |
Motivation
My motivation is to make the software more secure,
Describe the solution you'd like
When you are requesting a password reset and you press the button you will get a loading state because the server will need to send an email to the user with a link to change the password. But the loading state is really short when you request a password reset for a username that does not exist, while when you do it for a username that does exist it takes a long time.
So, this wil indicate for potential hackers that a username/email exists or not on the LDAP database. It would be more secure if you put this in a background task/job in async or something. So you will always show "password reset send" immediatly and fire the job that checks for user and sends email in the background.
Describe alternatives you've considered
X
Additional context
X
The text was updated successfully, but these errors were encountered: