[patio11]

An example of the attack Thomas is talking about: Rails and Django were both bitten earlier last year (?) because their session cookies used HMACs to avoid tampering. Those HMACs were compared against the expected ones using the == operator, which short circuits in Ruby/Python, causing the comparison to be timeable.

Over the Internet, this is a problem. Over the intranet, this is a You Can Own Someone's Admin Cookie In 30 Minutes With A Nearly Trivial Ruby Script, because the timing attack is orders of magnitude easier. (You get nanosecond precision in measurements using only thousands of probe requests.)

The cloud angle to this is that deploying on Heroku / Slicehost / EC2 / etc would let the attacker, for the price of a stolen credit card (or less!), trivially get a local network vantage point from which to attack your application.