Blinding potentially leaks information

[ryanbnl]

The latest solutions architecture mentions doing random uploads to a dummy url. The communication is covered by TLS but it can still leak information:

a. Hitting a different code path has a high chance of releasing information via timing. b. Difference in message sizes, the endpoint names are of equal length in the proposal.

They're easy to cover: you're almost certainly using a queue for /upload for scaling and as a strategy to avoid timing attacks. The messages can be dead lettered.

For B you can either add random jitter to requests or normalize the endpoint names. The latter can be handled by infra, using a url rewriter internally for example.

[ryanbnl]

Update: the diagram in the solution architecture is outdated; the swagger API has already moved to 8-character method names, which covers part of what I mentioned.

[ijansch]

Correct, point b is covered by having 8 letter requests AND padding in both request and response.

point a is covered by the api gateway that randomises timing. I'll leave this open because I have to check if point a is already in place.

[JolandaVerhoef]

@ijansch do you have an update on this?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.