- From: Tara Whalen <tjwhalen@gmail.com>
- Date: Wed, 24 Feb 2016 22:55:49 -0800
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CA+T70AjOTseQzTnFVH_B-H2PMoiqfY2zbncJi7CuG7A9E-q8AA@mail.gmail.com>
PING – informal chairs summary – 21 January 2016 Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the Web Performance Working Group for joining our call. Thanks to Wendy Seltzer for acting as scribe. Our next call will be on 25 February 2016 at the usual time. * High Resolution Time Level 2 Philippe Le Hegaret from the Web Performance Working Group presented an overview of privacy considerations of High Resolution Time Level 2 [1]. In November, a request was sent to PING [2] for review. One issue that came up last year was that this specification could be used for timing attacks, as identified in research [3],[4]. Because of this issue, the WG was forced to reduce the accuracy of the timer. More recently, another attack was reported (with exploit not yet complete in JavaScript) [5]; discussion with a researcher indicated that even a more granular accuracy would be insufficient to stop it. Discussion of this issue focused on any potential mitigations; research indicates that even if timer accuracy is reduced, you can still use JavaScript data object. Nick Doty proposed it might be useful to talk to security experts about the risks (if any) of revealing memory addresses even if the JavaScript code can't execute natively on the machine. In terms of next steps, the WG is moving this to Candidate Recommendation in order to get version 2 out; Philippe notes that if there is progress in the Rowhammer attack, then they will re-open the question. * Privacy Questionnaire Greg Norcie notes that the questionnaire has been ported from the wiki to GitHub [6], and hopes that pull requests will be an effective channel for feedback. Greg also wants to send feedback to the TAG on their security questionnaire. Discussion suggested that it would be most helpful to use GitHub issue tracking, and to periodically review and update the questionnaire. * AOB Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance document, which he will be discussing with them. In addition, the Web Performance WG has been working on Beacon, and Nick has opened some issues for discussion with them [7]. * Next call 25 February 2016 at UTC 17 Christine and Tara [1] http://www.w3.org/TR/hr-time-2/ [2] https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html [3] https://github.com/w3c/hr-time/issues/4 [4] http://arxiv.org/pdf/1502.07373v2.pdf [5] http://www.rowhammer.com/ [6] https://github.com/gregnorc/ping-privacy-questions [7] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html
Received on Thursday, 25 February 2016 06:56:16 UTC