[compute-pressure] Feature can be abused to create cross-site covert channels (#197)

pes10k has just created a new issue for https://github.com/w3c/compute-pressure:

== Feature can be abused to create cross-site covert channels ==
This issue is being filed as part of the [requested PING review](https://github.com/w3cping/privacy-request/issues/113)

This feature can be abused to create a cross-site covert channel; one site can write to the channel by manipulating the state of the CPU, and another site can read from the channel by using the proposed API to learn when the state of the CPU has changed.

The spec attempts to guard against this abuse in two ways:
 i. rate limiting how frequently a reading site can read compute-pressure changes (every 1s for a active document, every 10s for a non-active document)
 ii. only allowing one site to read from the channel at a time

I do not think either of these mitigations are defense though. For the first point, the spec says its intended to be used on pages users are likely to dwell on for a long time (e.g., video conferencing sites). In such a case, learning a bit of information every second is not a useful limitation. If a user is, for example, video conferencing for 5 minutes, thats at least to 300 bits of information, plenty of information to encode a unique identifier and necessary metadata. (At least because if there are 4 states that can be transmitted, your sending 2 bits of info per second, and so a clever attacker could double the bandwidth).


Please view or discuss this issue at https://github.com/w3c/compute-pressure/issues/197 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 21 March 2023 01:51:23 UTC