- From: Chris Weber <chris@lookout.net>
- Date: Wed, 05 Oct 2011 22:14:30 -0700
- To: Billy Hoffman <billy@zoompf.com>
- CC: Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
On 10/4/2011 3:16 PM, Billy Hoffman wrote: > The performance timing information in the new API has implications fat > beyond Felton's classic work on browser or shared cache snooping. I > see this facilitating some major advances in the JavaScript port > scanning that myself, Robert Hanson, and Jeremiah Grossman explored in > 2006. I can see that angle but wouldn't the Timing-Allow-Origin requirement mitigate most if not all of that? It basically nixes the domain lookup and connection information that would be useful... right? For another vector, how about using the performance data to perform geolocation testing? I'm being totally theoretical with no PoC to back this up but could the timing information help an attacker to better pinpoint coordinates more accurately than geolocation databases today? I'm assuming something like multilateration might be used, where the attacker controlled various receivers, thereby controlling the cross-origin restriction as well. But then again the attacker might need quite a bunch of those receivers around, and in decent proximity to the victim, to do any good... -Chris
Received on Friday, 7 October 2011 03:51:43 UTC