- From: Christine Runnegar <runnegar@isoc.org>
- Date: Mon, 7 Dec 2015 06:51:50 +0000
- To: Philippe Le Hegaret <plh@w3.org>
- CC: Nicholas Doty <npdoty@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Many thanks Philippe. Thank you again Philippe and Mark for joining our PING calls. It’s really rewarding to see how carefully and thoughtfully the WG is addressing privacy and security considerations. Thank you! Christine (co-chair) > On 4 Dec 2015, at 4:58 pm, Philippe Le Hegaret <plh@w3.org> wrote: > > Hi Christine, Nick, > > I noticed the discussion in the privacy call yesterday. > > Regarding the timing attacks, it was recognized as a serious privacy issue. Mozilla was the first one to recognize it and Google and Microsoft followed. See > https://github.com/w3c/hr-time/issues/4 > > Fyi, I'm tracking the PLING review at > https://github.com/w3c/hr-time/issues/20 > > Feel free to pitch into our issues as you see fit. Let me know what kind of following up is needed on our side btw since we'd like to move the spec to CR. > > Thank you, > > Philippe > > > On 11/17/2015 01:36 PM, Christine Runnegar wrote: >> Thanks Philippe. >> >> We will add this to agenda for the next PING call (3 December 2015 at UTC 17). >> >> In the meantime, if anyone has initial feedback and/or questions, please post them on this list. >> >> Christine >> >>> On 17 Nov 2015, at 2:59 pm, Philippe Le Hegaret <plh@w3.org> wrote: >>> >>> The latest version of High Resolution Time is ready for wide review. >>> >>> One can find the latest draft at: >>> http://www.w3.org/TR/hr-time-2/ >>> >>> High Resolution Time Level 2 replaces the first version of High Resolution Time [HR-TIME] and includes: >>> >>> * Defines a precise definition of time origin for the purpose of all performance timeline related specifications; >>> >>> * Provides the base definition for the Performance interface, including support for the Performance.now method in Web Workers [WORKERS]; >>> >>> * Introduces the method Performance.translateTime to compare times between different time origins; >>> >>> * To mitigate cache attacks, the recommended minimum resolution of the Performance interface should be set to 5 microseconds. >>> >>> The method Performance.translateTime is marked as "at risk" to the purpose of moving High Resolution Time 2 to W3C Recommendation due to its lack of implementation experience. It is expected to be deferred until the next release at the moment. >>> >>> [[ >>> 8. Privacy and Security >>> >>> Cache attacks and statistical fingerprinting is a privacy and security concern where a malicious web site may use high resolution timing data of various browser or application-initiated operations to identify a particular user - see [CACHE-ATTACKS]. To mitigate such attacks, the recommended minimum resolution of the Performance interface should be set to 5 microseconds. >>> ]] >>> http://www.w3.org/TR/hr-time-2/#privacy-security >>> >>> New issues are welcome at >>> https://github.com/w3c/hr-time/issues >>> >>> Thank you, >>> >>> Philippe >>> >>
Received on Monday, 7 December 2015 06:52:26 UTC