I recently learned that there is an attack that utilizes the fact that when brute-forcing a compared string (e.g. hash from a password or token) in a database the query fails a few nanoseconds earlier if the beginning of the string is different than if the end is different and the previous characters are correct. If the attacker manages to get exact isolated access to the query time, the tries necessary to find the correct string significantly decreases in comparison to standard brute-forcing.
Is it even possible to isolate the query time on a remote webserver given there are constant visits of other people and running background processes?
If this is in fact a threat, what are best-practice solutions to secure webservers? Things I thought of:
- Hash the input strings in order to obfuscate the character sequence.
- Add some kind of minimum response time to related queries. Probably bad idea because it may open up DOS attack-vectors and might not be feasible with typical PHP/MySQL-scenarios due to poor multithreading support.