While talking with Martin Ramos Mejia about timing attacks he mentioned that it might be a good idea to measure the time it takes for the server to generate a 404, and then use that as a baseline (not sure exactly how) to help in the comparison of the "real" timing attack requests.
The 404 request timing would give us "the time required for the stack to return a response" and the time associated with a request to the app would show "the stack time + app time". Then it could be possible to make a diff and get only the app time. Note that in this scenario "stack" means: internet routers, remote caches/web servers/etc.
I need to think more about this to understand if it makes sense and how it might be used (in a direct way) or adapted to timing attacks in another way.
While talking with Martin Ramos Mejia about timing attacks he mentioned that it might be a good idea to measure the time it takes for the server to generate a 404, and then use that as a baseline (not sure exactly how) to help in the comparison of the "real" timing attack requests.
The 404 request timing would give us "the time required for the stack to return a response" and the time associated with a request to the app would show "the stack time + app time". Then it could be possible to make a diff and get only the app time. Note that in this scenario "stack" means: internet routers, remote caches/web servers/etc.
I need to think more about this to understand if it makes sense and how it might be used (in a direct way) or adapted to timing attacks in another way.