Is the timing attack generally considered a concern? I’ve seen more and more sites give a login error saying if you typed the password in wrong or the username doesn’t exist which gives the same information and doesn’t even require using statistics.
Also, the author’s localhost example didn’t seem very convincing. Production applications and noise have a lot going on that can affect latency. The author does not even demonstrate that they can accomplish this attack in their idealized environment. I didn’t see a link to any research demonstrating this. I’m not saying the author isn’t correct that this type of attack is possible just that they did not provide any reason to believe them.
Excellent resource on timing attacks. One should also remember that session tokens are also vulnerable to this.