I’ll be blunt here: any Java application which compares client-provided data to a secret value using MessageDigest.isEqual is vulnerable to timing attacks. This includes HMACs, decryption results, etc.
via codahale.com – A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals). Nice intro to timing attacks along the way.