A private key, in the context of SSL encryption, is used to protect data that is sent to secure Web sites, such as online banking details. Anyone who obtains the private key can decrypt any information sent to and from an SSL protected server.
In a 15-page paper published by the security laboratory at US based Stanford University's computer science department, the group outlines the attack, which can be used to extract keys over a local area network under strict laboratory conditions.
Timing-based attacks work by looking at the time it takes for a server to respond to different queries and using the varied response time to reduce the number of "guesses" required to determine its private key.
The paper shows that the attack can be quite effective in a local scenario. It's possible for an attacker to determine the private key of another site being hosted on a machine that they also have limited access to. So in the context of shared hosting environments, anyone with a "shell" account would be able to exploit the vulnerability fairly easily, which is a serious concern.
Across a network such as the Internet the identified weaknesses are most likely impossible to exploit because the varying latency between packets sent over such a network make the true server response time difficult to ascertain.
The paper also points out that systems running multiple Virtual Machine Monitors (VMM's) are at risk from timing-based attacks. According to the paper one such architecture that could be affected, if care is not taken through its implementation, is Microsoft's Palladium project.
The attack methods were tested against OpenSSL, the most commonly used open source SSL implementation. It also suggests a variety of ways of solving the issues raised in the paper, such as forcing a fixed server response time. OpenSSL are yet to release a fix.
What garbage. As if laboratory conditions happen in the real world.