[ResourceTiming] Privacy from Tony Gentilcore on 2011-05-20 (public-web-perf@w3.org from May 2011)

From: Tony Gentilcore <tonyg@google.com>
Date: Fri, 20 May 2011 20:13:20 +0100
To: "public-web-perf@w3.org" <public-web-perf@w3.org>
Cc: Maciej Stachowiak <mjs@apple.com>
Message-ID: <BANLkTim1yB9XtJtnXwZh5u0JiV5n-pk+Bw@mail.gmail.com>

On the webkit-dev list, Maciej Stachowiak raised a valid concern about
the Resource Timing proposal (pasted below).

As a working group, we should make sure that we have concrete answers
to these questions. James and I will also forward these to the Chrome
security team.

Maciej, the group would definitely appreciate input from the Apple
security experts if you wouldn't mind pointing them at the proposal.

-Tony

> I understand that we have to keep a balance, and statistical fingerprinting is already dismayingly effective without any new features. However, "enable[d]-by-default with a hidden pref to disable" sounds like an extremely weak approach to protecting user privacy.
>
> Is it possible to find experts on the topic of statistical fingerprinting, as well as security experts in general, who could review this API? Things I'd really like to know are:
>
> - Does this feature, as designed, increase the effectiveness of user fingerprinting, assuming the user is running something like private browsing or incognito mode, or is regularly deleting site data? The relevant question here is marginal increase in effectiveness - are things worse with this feature than without?
>
> - Presumably some known statistical fingerprinting techniques can be mitigated, if not always than at least in private browsing mode. If that was done, then would this timing feature provide an additional fingerprinting vector?
>
> - Could this feature directly reveal otherwise hard-to-guess information about users?
>
> - Can this feature be used to aid timing-based security attacks?
>
> I would really like to see this kind of review done ahead of time and delivered to the Working Group. My worry here is that the feature may have fatal flaws as currently designed, or perhaps even in the basic concept of its functionality. If that's the case, then we'd certainly want to find out before we get locked into it. Perhaps some of the privacy risks can even be mitigated, such as by returning fake or random data in private browsing mode. I can ask some of Apple's security experts to review with a mind to these questions, but I'm wondering if there are other independent experts we could ask.

Original thread:
https://lists.webkit.org/pipermail/webkit-dev/2011-May/016811.html

Received on Friday, 20 May 2011 19:14:16 UTC