Hacker News new | past | comments | ask | show | jobs | submit login

Do you setup a timed sleep to make sure that you return results in exactly the same time regardless of path taken?

For the record, the right way to do this is to just log the request to your database, and have a background process pull the log and take appropriate action later.

Not sure if sarcasm..

This is a real attack vector. It's called a timing attack: http://en.wikipedia.org/wiki/Timing_attack

I am familiar with timing attacks. The thought of someone attempting to apply it over the internet to verify whether an email is registered on a dating site seems laughable.

Applying it over the Internet is quite feasible, especially with simple code. If it connects to a remote SMTP server, the delay may very well be noticeable enough without doing any complicated timing. It might be just about as easy as scraping the page for "user not found" versus "email sent".

I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact