If an error occurs, our web shop generates an error-code that is shown to the us

Question

If an error occurs, our web shop generates an error-code that is shown to the user. At the moment, it does not contain a time stamp but only the day of the month. That is non-intuitive but I assume the original intention was to give potential attacker as few information as possible.

However, it would be more convenient to include a more precise time stamp, e.g., YYYY-MM-DD-HH-MM.

Is it a security hole to show more precise time information?

I'm not talking about a high-resolution time stamp, but only the rough time so it is easier to locate logfiles and quickly find out which release of the code caused the problem.

All the attacker sees is the current time and the time zone that we use. Does not seem critical to me, but maybe I miss something.

Explanation / Answer

I don't see an issue here because the user will know the exact time they did something. Considering that a server needs to sync their time with an authoritative time source, there will be nothing "leaked" to the user that the user won't already know.

If you wish to hide some aspect of your server (like what time zone it resides) you can process your logs as UTC time as a generalized time format.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.