Closed dtgreiner closed 3 days ago
wouldn't it be easier to just introduce a random wait on every login request? Something between 0 and 1.5 seconds?
If I'm understanding the problem correctly, I think Dave's approach should mask the timing issue as long as our auth is consistently less than 2 secs. If there's just a random wait time it seems like an attacker could still get useful timing information (although it would require a larger sample)
That reminds me, we might also want to check that wait_time is positive. Sleep on a negative number raises an exception and it looks like it might occur in the unlikely event that elapsed > 2.5
The Time.now
-> Time.current
change and the wait_time.positive?
change have been added to the PR
Please squash merge this PR
Description
Enforce a minimum 2 second login time to protect against identifying valid usernames using login time analysis.
Type of change
Checklist before requesting review