W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2012

Re: [W3C Web Crypto WG] Deciding if we need a discovery mechanism

From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 May 2012 11:10:36 -0700
Message-ID: <CABcZeBOOwjfQJJsu6-uYTgp6cHWkNMP7_Mmft7vCOFO83usH5Q@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: Jarred Nicholls <jarred@webkit.org>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, May 21, 2012 at 9:34 AM, Wendy Seltzer <wseltzer@w3.org> wrote:
> On 05/15/2012 12:10 PM, Jarred Nicholls wrote:
>> On Tue, May 15, 2012 at 10:59 AM, GALINDO Virginie <
>> Virginie.GALINDO@gemalto.com> wrote:
>>
>>>  Dear all,
>>>
>>> Some people mentioned that a webapp may be able to discover the algorithms
>>> supported the environment it is running in, thus identifying algorithms
>>> available thanks to the Web Crypto API. There are several means to do that
>>> (1) either by an actual discovery mechanism sending back the entire list of
>>> algorithms,
>
> I'd like to hear a bit about the fingerprinting possibilities that a
> discovery mechanism opens up.  Inspecting the browser's crypto
> properties could introduce privacy and security concerns.
>

My intuition is that this battle is already lost, especially as
algorithm fingerprinting
(as opposed to key discovery) probably doesn't leak that much information about
the hardware platform. Compare to, for instance:

http://cseweb.ucsd.edu/~kmowery/papers/html5-fingerprint.pdf

-Ekr


-Ekr
Received on Monday, 21 May 2012 18:12:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:10 UTC