W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: Security implications of network timing

From: Tony Gentilcore <tonyg@chromium.org>
Date: Wed, 19 Oct 2011 15:36:08 +0100
Message-ID: <CANvLf_Fp398Yv8DxxoWS2pDrdVw3dbSE4TQWBeUKaPSWZ3voPA@mail.gmail.com>
To: Billy Hoffman <billy@zoompf.com>
Cc: Bryan McQuade <bmcquade@google.com>, public-web-security@w3.org
Thank you all for the carefully thought out responses. This is exactly
the kind of information needed. Activity seems to have died down, so
I'll attempt to summarize...

1. The cross-origin restriction is absolutely needed. Without it:
  - Web history could be leaked
  - JS port scanning would be more accurate
  - Brute forcing passwords could be more effective

2. Even with the cross-origin restrict, there are several concerns:
  - In the presence of an XSS, then everything in #1 can be exploited.
  - This might improve the site's ability to geolocate the user.
  - This makes existing timing attacks more explicit which prevents
them from ever being patched.

3. Risk mitigation suggestions:
  - Allow user opt-out
  - Opt-out by default in private browsing modes
  - Allow page opt-out via meta tag or the like

Is this a fair summary? Please correct me if I missed anything.
Otherwise, I'll discuss these with the web perf working group.

My personal thoughts are:
#1 We will keep the cross-origin restriction.
#2 If an XSS is present, all bets are off, so we shouldn't worry about
that. IP-based geolocation is already so effective that I doubt
there's much room to improve that precision. There is no remotely
plausible plan suggested for patching the implicit timing attacks, so
making them explicit is not really changing anything.
#3 If opt-out is necessary, we've already done something wrong in #2.

-Tony
Received on Wednesday, 19 October 2011 14:37:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 October 2011 14:37:03 GMT