Re: PING – informal chairs summary – 21 January 2016

Hi Greg,

Today's call agenda includes both those items:

> 1. Welcome and introductions
> 2. Web RTC 1.0
> 3. Vibration API
> 4. Privacy questionnaire
> 5. AOB

(You are perhaps responding to the summary of the *previous* call?) --TW

On Thu, Feb 25, 2016 at 7:24 AM, Greg Norcie <gnorcie@cdt.org> wrote:

> Hi Tara,
>
> I thought the agenda would we would include both the WebRTC review and the
> Vibration API review. I spent a lot of time on both, so I hope we can at
> least briefly discuss them.
>
> Thanks for the help.
>
> /********************************************/
> Greg Norcie (norcie@cdt.org)
> Staff Technologist
> Center for Democracy & Technology
> District of Columbia office
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
>
>
>
> *CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
> more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>*
> /*******************************************/
>
> On Thu, Feb 25, 2016 at 1:55 AM, Tara Whalen <tjwhalen@gmail.com> wrote:
>
>> PING – informal chairs summary –  21 January 2016
>>
>> Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the
>> Web Performance Working Group for joining our call.
>>
>> Thanks to Wendy Seltzer for acting as scribe.
>>
>> Our next call will be on 25 February 2016 at the usual time.
>>
>> * High Resolution Time Level 2
>>
>> Philippe Le Hegaret from the Web Performance Working Group presented an
>> overview of privacy considerations of High Resolution Time Level 2 [1]. In
>> November, a request was sent to PING [2] for review. One issue that came up
>> last year was that this specification could be used for timing attacks, as
>> identified in research [3],[4]. Because of this issue, the WG was forced to
>> reduce the accuracy of the timer. More recently, another attack was
>> reported (with exploit not yet complete in JavaScript) [5]; discussion with
>> a researcher indicated that even a more granular accuracy would be
>> insufficient to stop it.
>> Discussion of this issue focused on any potential mitigations; research
>> indicates that even if timer accuracy is reduced, you can still use
>> JavaScript data object. Nick Doty proposed it might be useful to talk to
>> security experts about the risks (if any) of revealing memory addresses
>> even if the JavaScript code can't execute natively on the machine. In terms
>> of next steps, the WG is moving this to Candidate Recommendation in order
>> to get version 2 out; Philippe notes that if there is progress in the
>> Rowhammer attack, then they will re-open the question.
>>
>> * Privacy Questionnaire
>> Greg Norcie notes that the questionnaire has been ported from the wiki to
>> GitHub [6], and hopes that pull requests will be an effective channel for
>> feedback. Greg also wants to send feedback to the TAG on their security
>> questionnaire. Discussion suggested that it would be most helpful to use
>> GitHub issue tracking, and to periodically review and update the
>> questionnaire.
>>
>> * AOB
>> Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance
>> document, which he will be discussing with them. In addition, the Web
>> Performance WG has been working on Beacon, and Nick has opened some issues
>> for discussion with them [7].
>>
>> * Next call
>>
>> 25 February 2016 at UTC 17
>>
>> Christine and Tara
>>
>> [1] http://www.w3.org/TR/hr-time-2/
>> [2]
>> https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html
>> [3] https://github.com/w3c/hr-time/issues/4
>> [4] http://arxiv.org/pdf/1502.07373v2.pdf
>> [5] http://www.rowhammer.com/
>> [6] https://github.com/gregnorc/ping-privacy-questions
>> [7]
>> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html
>>
>
>