In his latest post Anthony Ferrara talks about a tricky subject in PHP - timing attacks. A timing attack has to do with vulnerabilities that can come up because of the differences in time it takes to perform cryptographic operations (like hashing or encrypting).

An interesting pull request has been opened against PHP to make bin2hex() constant time. This has lead to some interesting discussion on the mailing list (which even got me to reply :-X). There has been pretty good coverage over remote timing attacks in PHP, but they talk about string comparison. I'd like to talk about other types of timing attacks.

He starts with a definition of what a remote timing attack is and provides an example of a simple script showing the delay that's key to the attack. His script deals with string location but it gives you an idea of how the attack works and where the danger lies. He points out that even remotely attackers could determine the times to perform operations (down to the nanosecond) and use this to their advantage. He points out that both == and === are vulnerable to this type of attack because of how the comparison happens. He gives two options (one an internal function) to help protect your application and briefly covers a few other types of timing attacks: index lookup, cache-timing and branch-based timing attacks.