Fwd: Security implications of network timing from Thomas Roessler on 2011-10-04 (public-privacy@w3.org from October to December 2011)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 4 Oct 2011 13:57:03 +0200
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Cc: Thomas Roessler <tlr@w3.org>
Message-Id: <2950C5DA-740E-43FE-BFA0-814D42A4BB42@w3.org>

FYI.  The use of timing information for fingerprinting might be interesting to people on this mailing list.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







Begin forwarded message:

> From: Tony Gentilcore <tonyg@chromium.org>
> Subject: Security implications of network timing
> Date: October 4, 2011 13:54:27 +0200
> To: public-web-security@w3.org
> Archived-At: <http://www.w3.org/mid/CANvLf_FrQy0orRk92HmE-ZoXmRRQ8xcKLGMMvH81ZKboJzkfeQ@mail.gmail.com>
> 
> Hi Security Gurus,
> 
> The Resource Timing[1] specification has just entered last call phase. It
> provides network timing details for each subresource loaded by a page,
> to wit, the HTTP redirect, DNS, TCP connect, HTTP request and HTTP
> response phases.
> 
> We suspected that exposing this additional detail could improve the
> effectiveness of timing attacks like those described by Felten and
> Schneider[2]. So we have speculatively guarded these times with a
> same-origin restriction.
> 
> But even with the same-origin restriction, other folks have
> speculated[3] these times could be used to improve the effectiveness
> of statistical fingerprinting. At the same time, developers who want
> to use the feature are concerned that the same-origin restriction is
> too crippling for their use-cases.
> 
> So, we'd like to take a step back and develop a list of novel attacks
> that could be enabled by exposing network timing. Then we can put in
> the proper set of restrictions to prevent them. The problem is that
> none of the web performance working group participants have expertise
> in security or privacy.
> 
> Are there folks in this group who would be willing to help us generate a list
> of novel attacks that could be exposed by network timing?
> 
> Thank you,
> Web Performance Working Group
> 
> [1] http://w3c-test.org/webperf/specs/ResourceTiming/
> [2] http://sip.cs.princeton.edu/pub/webtiming.pdf
> [3] http://lists.w3.org/Archives/Public/public-web-perf/2011May/0102.html
> 
>

Received on Tuesday, 4 October 2011 11:57:10 UTC