PING – informal chairs summary – 21 January 2016

PING – informal chairs summary –  21 January 2016

Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the
Web Performance Working Group for joining our call.

Thanks to Wendy Seltzer for acting as scribe.

Our next call will be on 25 February 2016 at the usual time.

* High Resolution Time Level 2

Philippe Le Hegaret from the Web Performance Working Group presented an
overview of privacy considerations of High Resolution Time Level 2 [1]. In
November, a request was sent to PING [2] for review. One issue that came up
last year was that this specification could be used for timing attacks, as
identified in research [3],[4]. Because of this issue, the WG was forced to
reduce the accuracy of the timer. More recently, another attack was
reported (with exploit not yet complete in JavaScript) [5]; discussion with
a researcher indicated that even a more granular accuracy would be
insufficient to stop it.
Discussion of this issue focused on any potential mitigations; research
indicates that even if timer accuracy is reduced, you can still use
JavaScript data object. Nick Doty proposed it might be useful to talk to
security experts about the risks (if any) of revealing memory addresses
even if the JavaScript code can't execute natively on the machine. In terms
of next steps, the WG is moving this to Candidate Recommendation in order
to get version 2 out; Philippe notes that if there is progress in the
Rowhammer attack, then they will re-open the question.

* Privacy Questionnaire
Greg Norcie notes that the questionnaire has been ported from the wiki to
GitHub [6], and hopes that pull requests will be an effective channel for
feedback. Greg also wants to send feedback to the TAG on their security
questionnaire. Discussion suggested that it would be most helpful to use
GitHub issue tracking, and to periodically review and update the
questionnaire.

* AOB
Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance
document, which he will be discussing with them. In addition, the Web
Performance WG has been working on Beacon, and Nick has opened some issues
for discussion with them [7].

* Next call

25 February 2016 at UTC 17

Christine and Tara

[1] http://www.w3.org/TR/hr-time-2/
[2] https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html
[3] https://github.com/w3c/hr-time/issues/4
[4] http://arxiv.org/pdf/1502.07373v2.pdf
[5] http://www.rowhammer.com/
[6] https://github.com/gregnorc/ping-privacy-questions
[7] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html

Received on Thursday, 25 February 2016 06:56:16 UTC