Re: GLSL ES & CSS Filters from Dirk Schulze on 2012-10-16 (public-fx@w3.org from October to December 2012)

From: Dirk Schulze <dschulze@adobe.com>
Date: Tue, 16 Oct 2012 13:38:22 -0700
To: Mark Callow <callow.mark@artspark.co.jp>, "public-fx@w3.org" <public-fx@w3.org>
CC: Max Vujovic <mvujovic@adobe.com>, Dean Jackson <dino@apple.com>, Vincent Hardy <vhardy@adobe.com>, Erik Dahlstrom <ed@opera.com>
Message-ID: <EA074783-498F-43E3-B523-AA80927DA657@adobe.com>


On Oct 15, 2012, at 10:58 PM, Mark Callow <callow.mark@artspark.co.jp> wrote:

> Hi Max,
> 
> On 2012/10/12 7:42, Max Vujovic wrote:
>> I made a functioning proof of concept attack several months ago, before we implemented any of the security restrictions in WebKit. On the malicious page, I was able to query arbitrary URLs, and within 500ms, I could get a "yes" or "no" answer regarding whether the user had visited a URL. I'm fairly confident I could bring the query time per URL down to 40ms or less.
>> 
> 
> Thank you for explaining your proof of concept. I would like to see the JS part of it too, if you wouldn't mind sending it to me. I have a few thoughts about mitigation and am trying to see which, if any, cases my ideas would inhibit.
> 
> Is running filters typically pipelined and done in parallel with running the JS, or is everything serial?
> Regards
I know that Dean warned for possible FUD and FUC. But can we still move the security concerns discussion to the mailing list "public-fx@w3.org" <public-fx@w3.org> please? In general we try to avoid shadow discussions that are not public available. The HTML web platform has a variety of security experts that can give you a lot of details.

Greetings,
Dirk

> 
>     -Mark
> 
> Please note that, due to the integration of management operations following establishment of our new holding company, my e-mail address has changed to callow.mark<@>artspark<.>co<.>jp. I can receive messages at the old address for the rest of this year but please update your address book as soon as possible.
> -- 
> 注意：この電子メールには、株式会社エイチアイの機密情報が含まれている場合が有ります。正式なメール受信者では無い場合はメール複製、 再配信または情報の使用を固く禁じております。エラー、手違いでこのメールを受け取られましたら削除を行い配信者にご連絡をお願いいたし ます.
> NOTE: This electronic mail message may contain confidential and privileged information from HI Corporation. If you are not the intended recipient, any disclosure, photocopying, distribution or use of the contents of the received information is prohibited. If you have received this e-mail in error, please notify the sender immediately and permanently delete this message and all related copies.
>

Received on Tuesday, 16 October 2012 20:39:27 UTC