W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Chris Weber <chris@lookout.net>
Date: Wed, 05 Oct 2011 22:14:30 -0700
Message-ID: <4E8D3936.1080904@lookout.net>
To: Billy Hoffman <billy@zoompf.com>
CC: Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
On 10/4/2011 3:16 PM, Billy Hoffman wrote:
> The performance timing information in the new API has implications fat
> beyond Felton's classic work on browser or shared cache snooping. I
> see this facilitating some major advances in the JavaScript port
> scanning that myself, Robert Hanson, and Jeremiah Grossman explored in
> 2006.

I can see that angle but wouldn't the Timing-Allow-Origin requirement 
mitigate most if not all of that?  It basically nixes the domain lookup 
and connection information that would be useful... right?

For another vector, how about using the performance data to perform 
geolocation testing?  I'm being totally theoretical with no PoC to back 
this up but could the timing information help an attacker to better 
pinpoint coordinates more accurately than geolocation databases today? 
I'm assuming something like multilateration might be used, where the 
attacker controlled various receivers, thereby controlling the 
cross-origin restriction as well.  But then again the attacker might 
need quite a bunch of those receivers around, and in decent proximity to 
the victim, to do any good...

-Chris
Received on Friday, 7 October 2011 03:51:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 7 October 2011 03:51:44 GMT