A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) 13 Aug 2009 Timing attacks are pretty horrible from the perspective of someone trying to write a secure cryptosystem. They work against a programmer’s best instincts—don’t do extra work—to give an attacker with access to a Statistics 101 textbook a good solid grip on your application’s guts. How the hell does that work? In short, a