My friend Jacob noticed something interesting today, when we were voting on new officers. Everyone put their heads down on their desk, eyes closed. When a candidate's name was called, we raised our hands.
Of course, this "blind voting" scheme is vulnerable to people looking up, but this is cheating. There is a way to prematurely find the results, legitamitely.
The secret: the people running the election took different amounts of time announcing names. For example:
"All those voting for Bob, raise your hand... (wait of 10 seconds while counting hands)... All those voting for John... (wait of 5 seconds counting hands). Ok, we're done."
You know that Bob won, because it took longer to count his votes! This is a subtle information leak.
Lessons:
- When giving results, take the same amount of time (positive or negative). Example: When a user logs in, you should give a generic "error: incorrect username or password" message (of course, don't tell them if it's the user name or password that is wrong!). But also make sure to take the same amount of time for the message! (I.e., if the user name is wrong, it takes 1 second, if pass is wrong it takes 1 second).
- Security is hard!
Links:
