Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
22 lines (17 sloc) 1.02 KB

Constant time comparison

Using == to compare sensitive hashes leaves you vulnerable to timing attacks. This is because == returns false as soon as it finds two characters that don't match. An attacker can make many requests with different values and compare times to figure out how many characters were correct (the shorter the response, the fewer correct characters).

The solution to this problem is to use a constant-time comparison algorithm. This ensures that the method will always take the same amount of time, regardless of how similar the hashes are. In Ruby, you can use Rack::Utils.secure_compare or ActiveSupport::SecurityUtils.secure_compare.

For more information, check out this excellent blog post.

You can’t perform that action at this time.