Re: HTML extension for system idle detection. from Jonas Sicking on 2009-09-17 (public-webapps@w3.org from July to September 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 17 Sep 2009 11:50:08 -0700
To: Jeremy Orlow <jorlow@chromium.org>
Cc: Arve Bersvendsen <arveb@opera.com>, David Bennett <ddt@google.com>, public-webapps@w3c.org
Message-ID: <63df84f0909171150u38b3135eh563cdde9dc45828c@mail.gmail.com>

On Thu, Sep 17, 2009 at 10:35 AM, Jeremy Orlow <jorlow@chromium.org> wrote:
> On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com> wrote:
>>
>> On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com> wrote:
>>
>>> I have a proposal for an extension to javascript to enable browsers to
>>> access system idle information.  Please give me feedback and suggestions
>>> on the proposal.
>>
>>
>> What exactly are the security and privacy implications of detecting system
>> idle activity in the browser?
>
> As far as I know, there really aren't any.  This was discussed on WhatWG
> (before being directed here) and IIRC there were no serious security or
> privacy concerns.  The minimum resolution of the event makes attacks based
> on keystroke timing impossible.  Some people suggested that web apps could
> do something "bad" while the user is away, but I don't think anyone could
> come up with a good example of something "bad".  Can you think of any
> specific concerns?

This definitely sounds like one of those things that aren't bad on
their own, but when combined with something else could turn a problem
into a worse problem.

For example. Say that a browser has a refcounting bug somewhere that
causes the refcount to be artificially increased by one. While this is
a problem on its own, it generally just leads to leaks. However, if an
attacker had a lot of time, he could cause the refcount to get so high
that it overflows and wraps back to zero. Often you need to increase
the refcount 2^32 times, which means that it takes a decent amount of
time, during which the CPU is pegged.

If the user is present, it's likely that he'll try to shut down the
offending CPU-hogging application. However if this can be done while
the user is away then that becomes more likely to succeed.

So, while knowing that the user is away isn't enough to do something
bad. It can be used in combination with other attacks to make them
worse.

I don't right now feel strongly on if this is bad enough to kill the
feature, but it's an answer to your question about "bad".

/ Jonas

Received on Thursday, 17 September 2009 18:51:10 UTC