W3C home > Mailing lists > Public > public-fx@w3.org > October to December 2011

Re: Documenting Timing Attacks in Rendering Engines

From: Vincent Hardy <vhardy@adobe.com>
Date: Fri, 9 Dec 2011 16:04:29 -0800
To: "Tab Atkins Jr." <jackalmage@gmail.com>
CC: Charles Pritchard <chuck@jumis.com>, "public-fx@w3.org" <public-fx@w3.org>
Message-ID: <EDC676A4-6982-425D-ADC8-77342300AE5A@adobe.com>

On Dec 9, 2011, at 3:57 PM, Tab Atkins Jr. wrote:

> On Fri, Dec 9, 2011 at 3:44 PM, Vincent Hardy <vhardy@adobe.com> wrote:
>> For the record, here are the points we presented the FX group during the
>> last face to face:
>> 
>> - Timing attackes rely on inferring rendered content from the time it takes
>> to render it
>> - Timing attacks were demonstrated attack in WebGL
>> - There are differences between CSS shaders and WebGL (different timing
>> mechanisms)
>> - Possible solution:
>>      - CORS
>>      - Mandate that UAs do not give out information on rendered content from
>> timing (obfuscate the requestAnimationFrame method)
>> ========
>> 
>> We decided to explore CORS at this time,
> 
> This doesn't make sense.  cross-origin content is *one* information
> leak from shaders.  There are many more that Adam Barth has pointed
> out, such as :visited status, the user's spellchecking dictionary, the
> user's filesystem structure through the display of <input type=file>
> in some browsers, etc.  These latter have nothing to do with CORS.

Tab,

What my mail says is relating what the discussion at the F2F was and what the outcome was. It is not saying that this is the answer to everything. It does not say that CORS is the answer to the issues you point out.

I think it makes sense to share that type of information so that everybody knows what was already discussed and what may not have been discussed.

Kind regards,
Vincent.
Received on Saturday, 10 December 2011 00:05:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 December 2011 00:05:19 GMT