You’ve probably seen that Miller Lite commercial where the girl tells the guy she loves him, and she figures out very quickly whether that love is requited by how slowly he responds.
She doesn’t need to know his answer, just the length of time he takes to come up with it.
If you get that commercial, then you get the latest website security threat that became all the rage this weekend when a well known Microsoft blogger, Scott Guthrie, wrote about it.
Scott suggested that site administrators take immediate action.
I’m not the biggest fan of “emergency” reactions – you can often do more damage with hastily applied patches than with the problem itself. Certainly in the short-term that’s true, and I think it applies to this case.
I respect Scott as an authority on .NET but I think his post had more to do with CYA politics between Microsoft and the media than prudent site administration. Never mind that the attack applies equally to Apache Web Server, Adobe Flash, or Java Runtime – Microsoft needed to prepare its defense.
Cryptographic oracles – the fancy name for the hacking technique involved in this threat – work by measuring the response time to different queries. Just like the gal in the Miller commercial, the oracle can tell the difference between “love” and “like” just by how long your website takes to respond.
In any case, if you’re in charge of website security for your staffing company, this is a good time to do a quick assessment. Do you encrypt your config files? Do you keep up with the best security blogs on the net like Schneier on Security? Follow the latest security tweets by my friend, DrInfoSec?
If not, take a break from the NFL commercials and study up. I realize that’s an easy thing for me to say given how my Vikings are playing, but do it anyway.