20.03.2009, Χ 1:52, Jonas Sicking ΞΑΠΙΣΑΜ(Α): > I don't know how easy it is with current technologies to do this > reliably. Or how big chances are that we can fix those technologies in > the future to not work at all, or at least be less reliable. > > If you have that information I can try to bring a case for security > review here. The examples Ian gave all seem reliable to me. Besides, I think that my example with timing of POST requests is quite reliable. It has been repeatedly shown that timing-related checks are incredibly powerful - see e.g. <http://www.daemonology.net/hyperthreading-considered-harmful/ >. A possible counter-argument is that there is more than simple port scanning that we should worry about - with sufficient out of band information, it could be possible to precisely detect operating systems and services on the internal network, see <http://nmap.org/book/osdetect.html >. I doubt that upload progress events provide much above upload timing in this regard, but it might be that they do. - WBR, Alexey ProskuryakovReceived on Friday, 20 March 2009 12:21:54 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:07 GMT