For Workers & Pages, what is the name of the domain?
What is the issue or error you’re encountering
Can an attacker use timing attacks to guess a key from Cloudflare KV?
What steps have you taken to resolve the issue?
We are looking to use KV to store session data. These sessions are keyed by a long random string which is stored in the user’s cookies.
In our Cloudflare Pages setup, the server grabs the session ID from the cookie, and calls KV to get session data.
We use signed cookies, so I don’t believe an attacker could currently brute-force session IDs for a timing attack. But if they could, would KV be susceptible to that timing attack?
That is, could an attacker load pages with many different sessionIDs, thus making many calls to MY_KV.get(sessionID) and use a timing attack to find a sessionID that is valid?
If we use KV for other things that did not come from signed cookies, could a similar timing attack be used?