W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Do we need to rename the Origin header?

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 9 Apr 2009 06:42:25 +0000 (UTC)
To: Bil Corry <bil@corry.biz>
Cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0904090625310.19453@hixie.dreamhostps.com>
On Thu, 9 Apr 2009, Bil Corry wrote:
> 
> For example, imagine instead you visit a malicious site, and it wants to 
> phish your banking credentials.  But rather than choosing a random bank 
> and hoping you bank there, it instead launches a series of timing 
> attacks against the top 30 banks, determines which bank(s) you're logged 
> into, then tries phishing against the one you're logged into.  
> CORS-Origin can't help, but a robust Origin could.

You could just do a timing attack against non-login-protected assets that 
are only shown while logged in, or even just do timing attacks against any 
cached resource from the site, to see if they visited it. Or heck, you 
could just do a regular :visited history probing attack to see which site 
they visited. If we wanted to protect against timing attacks like this 
I think we would need to just have the browser itself ensure all network 
traffic has unpredictable timing (and remove the visited URLs features).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 9 April 2009 06:43:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT