Re: [fxtf-drafts] [css-compositing-2] Add plus-lighter to mix-blend-mode and background-blend-mode (#444) from Rik Cabanier via GitHub on 2022-01-14 (public-fxtf-archive@w3.org from January 2022)

From: Rik Cabanier via GitHub <sysbot+gh@w3.org>
Date: Fri, 14 Jan 2022 17:09:59 +0000
To: public-fxtf-archive@w3.org
Message-ID: <issue_comment.created-1013304080-1642180198-sysbot+gh@w3.org>

After we shipped this feature with blend modes that weren't susceptible to time, someone on the skia team refactored the formulas which enabled a time attack. See https://arstechnica.com/information-technology/2018/05/chrome-and-firefox-leaks-let-sites-steal-visitors-facebook-names-profile-pics/
You need to make sure that `plus-lighter` executes the same regardless of its input. Since there's a `min(..., ...)`, there might be an `if` block in the implementation which would introduce a timing attack. 

-- 
GitHub Notification of comment by cabanier
Please view or discuss this issue at https://github.com/w3c/fxtf-drafts/pull/444#issuecomment-1013304080 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 14 January 2022 17:10:01 UTC