- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 28 Sep 2009 13:57:59 +0200
- To: "Alexey Proskuryakov" <ap@webkit.org>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Ian Hickson" <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
Any update on this Jonas? On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <ap@webkit.org> wrote: > 20.03.2009, в 1:52, Jonas Sicking написал(а): > >> I don't know how easy it is with current technologies to do this >> reliably. Or how big chances are that we can fix those technologies in >> the future to not work at all, or at least be less reliable. >> >> If you have that information I can try to bring a case for security >> review here. > > The examples Ian gave all seem reliable to me. > > Besides, I think that my example with timing of POST requests is quite > reliable. It has been repeatedly shown that timing-related checks are > incredibly powerful - see e.g. > <http://www.daemonology.net/hyperthreading-considered-harmful/ >. > > A possible counter-argument is that there is more than simple port > scanning that we should worry about - with sufficient out of band > information, it could be possible to precisely detect operating systems > and services on the internal network, see > <http://nmap.org/book/osdetect.html >. I doubt that upload progress > events provide much above upload timing in this regard, but it might be > that they do. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 28 September 2009 11:58:42 UTC