W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 6 Oct 2011 21:16:04 -0700
Message-ID: <CALx_OUDkk2kT9g5WE9NgG=Cx-p1rbjMVXVgirMgWxC6ZACnkgw@mail.gmail.com>
To: Chris Weber <chris@lookout.net>
Cc: Billy Hoffman <billy@zoompf.com>, Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
> For another vector, how about using the performance data to perform
> geolocation testing?  I'm being totally theoretical with no PoC to back this
> up but could the timing information help an attacker to better pinpoint
> coordinates more accurately than geolocation databases today? I'm assuming
> something like multilateration might be used, where the attacker controlled
> various receivers, thereby controlling the cross-origin restriction as well.

The attacker controlling several servers can already measure RTTs (and
the number of hops, and many other parameters) very accurately simply
by benchmarking HTTP connections.

FWIW, I looked at this before, and I would be somewhat surprised if
the API has any privacy consequences that extend beyond the current
timing capabilities available to JavaScript and malicious servers. I
suspect the key reason why it makes people uncomfortable is its
explicit nature; and the fact that its introduction will essentially
burn any bridges should we want to mitigate timing vectors in the
future. Which may be a legit concern, though I don't see such
mitigations happening soon.

/mz
Received on Friday, 7 October 2011 04:17:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 7 October 2011 04:17:02 GMT