W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Bryan McQuade <bmcquade@google.com>
Date: Thu, 6 Oct 2011 10:00:49 -0400
Message-ID: <CADLGQyAwfqqSEFAuRMmrvgYYwHmTEefWGDg89wPs6aamW73tkw@mail.gmail.com>
To: public-web-security@w3.org
Billy and Paul,

The goal here is to collect specific novel attacks (that is, attacks
not possible without this new information) that arise as a result of
resource timing. You've said "The performance timing information in
the new API has implications fat beyond Felton's classic work on
browser or shared cache snooping" and "I expect these capabilities
will be on-par with custom native code attack tools." but I do not see
any specific novel attack vectors mentioned in your responses that are
only possible with the addition of this data. Can you please elaborate
to provide specific novel attack vectors that arise as a result of
providing this new data, so we can analyze them and confirm that they
are indeed not possible without the data provided by resource timing?

Thanks!
-Bryan
Received on Thursday, 6 October 2011 14:01:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 6 October 2011 14:01:18 GMT