W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Security implications of network timing

From: Tony Gentilcore <tonyg@chromium.org>
Date: Tue, 4 Oct 2011 12:54:27 +0100
Message-ID: <CANvLf_FrQy0orRk92HmE-ZoXmRRQ8xcKLGMMvH81ZKboJzkfeQ@mail.gmail.com>
To: public-web-security@w3.org
Hi Security Gurus,

The Resource Timing[1] specification has just entered last call phase. It
provides network timing details for each subresource loaded by a page,
to wit, the HTTP redirect, DNS, TCP connect, HTTP request and HTTP
response phases.

We suspected that exposing this additional detail could improve the
effectiveness of timing attacks like those described by Felten and
Schneider[2]. So we have speculatively guarded these times with a
same-origin restriction.

But even with the same-origin restriction, other folks have
speculated[3] these times could be used to improve the effectiveness
of statistical fingerprinting. At the same time, developers who want
to use the feature are concerned that the same-origin restriction is
too crippling for their use-cases.

So, we'd like to take a step back and develop a list of novel attacks
that could be enabled by exposing network timing. Then we can put in
the proper set of restrictions to prevent them. The problem is that
none of the web performance working group participants have expertise
in security or privacy.

Are there folks in this group who would be willing to help us generate a list
of novel attacks that could be exposed by network timing?

Thank you,
Web Performance Working Group

[1] http://w3c-test.org/webperf/specs/ResourceTiming/
[2] http://sip.cs.princeton.edu/pub/webtiming.pdf
[3] http://lists.w3.org/Archives/Public/public-web-perf/2011May/0102.html
Received on Tuesday, 4 October 2011 11:55:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 4 October 2011 11:55:25 GMT