Comparison Time Attacks

Using == to compare sensitive hashes leaves you vulnerable to timing attacks. This is because == returns false as soon as it finds two characters that don’t match. An attacker can make many requests with different values and compare times to figure out how many characters were correct (the shorter the response, the fewer correct characters).

Solution: use a constant-time comparison algorithm.

  • Ruby: Rack::Utils.secure_compare or ActiveSupport::SecurityUtils.secure_compare
  • NodeJS: crypto.timingSafeEqual