Re: High Resolution Time 2: time origin and worker support

Hi Christine, Nick,

I noticed the discussion in the privacy call yesterday.

Regarding the timing attacks, it was recognized as a serious privacy 
issue. Mozilla was the first one to recognize it and Google and 
Microsoft followed. See
  https://github.com/w3c/hr-time/issues/4

Fyi, I'm tracking the PLING review at
  https://github.com/w3c/hr-time/issues/20

Feel free to pitch into our issues as you see fit. Let me know what kind 
of following up is needed on our side btw since we'd like to move the 
spec to CR.

Thank you,

Philippe


On 11/17/2015 01:36 PM, Christine Runnegar wrote:
> Thanks Philippe.
>
> We will add this to agenda for the next PING call (3 December 2015 at UTC 17).
>
> In the meantime, if anyone has initial feedback and/or questions, please post them on this list.
>
> Christine
>
>> On 17 Nov 2015, at 2:59 pm, Philippe Le Hegaret <plh@w3.org> wrote:
>>
>> The latest version of High Resolution Time is ready for wide review.
>>
>> One can find the latest draft at:
>>   http://www.w3.org/TR/hr-time-2/
>>
>> High Resolution Time Level 2 replaces the first version of High Resolution Time [HR-TIME] and includes:
>>
>> * Defines a precise definition of time origin for the purpose of all performance timeline related specifications;
>>
>> * Provides the base definition for the Performance interface, including support for the Performance.now method in Web Workers [WORKERS];
>>
>> * Introduces the method Performance.translateTime to compare times between different time origins;
>>
>> * To mitigate cache attacks, the recommended minimum resolution of the Performance interface should be set to 5 microseconds.
>>
>> The method Performance.translateTime is marked as "at risk" to the purpose of moving High Resolution Time 2 to W3C Recommendation due to its lack of implementation experience. It is expected to be deferred until the next release at the moment.
>>
>> [[
>> 8. Privacy and Security
>>
>> Cache attacks and statistical fingerprinting is a privacy and security concern where a malicious web site may use high resolution timing data of various browser or application-initiated operations to identify a particular user - see [CACHE-ATTACKS]. To mitigate such attacks, the recommended minimum resolution of the Performance interface should be set to 5 microseconds.
>> ]]
>> http://www.w3.org/TR/hr-time-2/#privacy-security
>>
>> New issues are welcome at
>> https://github.com/w3c/hr-time/issues
>>
>> Thank you,
>>
>> Philippe
>>
>

Received on Friday, 4 December 2015 15:58:49 UTC