Re: Security implications of network timing from Billy Hoffman on 2011-10-08 (public-web-security@w3.org from October 2011)

From: Billy Hoffman <billy@zoompf.com>
Date: Sat, 8 Oct 2011 09:43:11 -0400
To: Bryan McQuade <bmcquade@google.com>
Cc: public-web-security@w3.org
Message-ID: <CAH0WLwO_t-zKigg99KRm4MqrOOauRHfaWax3fAUnY317v5uP7Q@mail.gmail.com>

Bryan

There are rarely new vectors in security. It's largely about how
existing attack scenarios or techniques apply to new or different
situations. As you increase the capabilities or features of something,
different existing techniques become more or less applicable and
impactful. Web performance timings exposes and segments precise timing
data which the attacker could not access before. All security
repercussions should be discussed.

Here is a specific example of the repercussions of this new feature.
It's not novel, it's just made worse and its scope has expanded:

Felton's web privacy paper was based on "Is this URL in someone's
browser cache, or organizational cache?" You could see if I had
visited "http://youporn.com/hot-hot-action.html." But what if I had
instead visited "http://youporn.com/dancing-dancing-hotties.html?" No
hit. This is similar to the CSS history hack in that you have to test
for specific URLs. However, now with web performance timings, I see if
youporn.com is in your browser's or OS's DNS cache without needing to
test a specific URL.

Even better (or worse), DNS caching occurs even on HTTP resources that
are not cached. This removes the  "resource must be stored in a cache
and still be fresh" requirement of Felton's method and extends this
attack to work against sites with past Expires or Cache-control:
no-store  headers or SSL or a dozen other things which affect or
prevent caching.

The end result is that it will be easier for an attacker to determine
where you have been in on the Internet.

--
Billy Hoffman
Founder and CEO,
Zoompf - Making Websites Faster
Phone: +1 (404) 509-0051
Cell: +1 (404) 414-2000
Get your free web performance assessment today at zoompf.com/free

On Thu, Oct 6, 2011 at 10:00 AM, Bryan McQuade <bmcquade@google.com> wrote:
> Billy and Paul,
>
> The goal here is to collect specific novel attacks (that is, attacks
> not possible without this new information) that arise as a result of
> resource timing. You've said "The performance timing information in
> the new API has implications fat beyond Felton's classic work on
> browser or shared cache snooping" and "I expect these capabilities
> will be on-par with custom native code attack tools." but I do not see
> any specific novel attack vectors mentioned in your responses that are
> only possible with the addition of this data. Can you please elaborate
> to provide specific novel attack vectors that arise as a result of
> providing this new data, so we can analyze them and confirm that they
> are indeed not possible without the data provided by resource timing?
>
> Thanks!
> -Bryan
>
>

Received on Saturday, 8 October 2011 13:56:29 UTC