Timing attacks belong to side channel attacks/side channel attacks. Side channel attacks refer to the use of information outside the channel, such as the speed of encryption and decryption, the voltage of the chip pins during encryption and decryption, the flow and path of ciphertext transmission, etc. The way of attacking, one word describes it as "side-by-side attack".
To give an example of the simplest timing attack, a function is responsible for comparing whether the password entered by the user is the same as the password stored in the system. If the function starts the comparison from the first bit and returns immediately if it finds a difference, then the returned value is calculated by calculation. The speed will know which one starts to be different, so that the scene of bit-by-bit password cracking that often appears in movies is realized. The complexity of password cracking has decreased by thousands or even millions of times.
When verifying passwords and tokens, it is easier to be attacked by timing. For example, when rails verifies the user's token, the parameter token requested by the user is compared with the token user.token of the database user. If it matches, the authentication is successful.
To prevent timing attacks, rails projects can use the ActiveSupport::SecurityUtils.secure_compare method to compare two values for a match.
if ActiveSupport::SecurityUtils.secure_compare(user.token, token) true else false end