W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2016

Re: PING – informal chairs summary – 21 January 2016

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Thu, 25 Feb 2016 08:13:59 -0500
Message-ID: <CABtrr-XeE9pSC6KCZieNP8JzoWAV_bdpcq+=8FKwUyTixiqnwg@mail.gmail.com>
To: Tara Whalen <tjwhalen@gmail.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
I apologize for consistently being out for travel for PING calls lately.
One thing would help: mentioning the next call date immediately on the PING
email list so that those that can't make the call can at least pencil in
the next one. (And apologies if you do that and I didn't see it.)

On Wednesday, February 24, 2016, Tara Whalen <tjwhalen@gmail.com> wrote:

> PING – informal chairs summary –  21 January 2016
>
> Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the
> Web Performance Working Group for joining our call.
>
> Thanks to Wendy Seltzer for acting as scribe.
>
> Our next call will be on 25 February 2016 at the usual time.
>
> * High Resolution Time Level 2
>
> Philippe Le Hegaret from the Web Performance Working Group presented an
> overview of privacy considerations of High Resolution Time Level 2 [1]. In
> November, a request was sent to PING [2] for review. One issue that came up
> last year was that this specification could be used for timing attacks, as
> identified in research [3],[4]. Because of this issue, the WG was forced to
> reduce the accuracy of the timer. More recently, another attack was
> reported (with exploit not yet complete in JavaScript) [5]; discussion with
> a researcher indicated that even a more granular accuracy would be
> insufficient to stop it.
> Discussion of this issue focused on any potential mitigations; research
> indicates that even if timer accuracy is reduced, you can still use
> JavaScript data object. Nick Doty proposed it might be useful to talk to
> security experts about the risks (if any) of revealing memory addresses
> even if the JavaScript code can't execute natively on the machine. In terms
> of next steps, the WG is moving this to Candidate Recommendation in order
> to get version 2 out; Philippe notes that if there is progress in the
> Rowhammer attack, then they will re-open the question.
>
> * Privacy Questionnaire
> Greg Norcie notes that the questionnaire has been ported from the wiki to
> GitHub [6], and hopes that pull requests will be an effective channel for
> feedback. Greg also wants to send feedback to the TAG on their security
> questionnaire. Discussion suggested that it would be most helpful to use
> GitHub issue tracking, and to periodically review and update the
> questionnaire.
>
> * AOB
> Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance
> document, which he will be discussing with them. In addition, the Web
> Performance WG has been working on Beacon, and Nick has opened some issues
> for discussion with them [7].
>
> * Next call
>
> 25 February 2016 at UTC 17
>
> Christine and Tara
>
> [1] http://www.w3.org/TR/hr-time-2/
> [2]
> https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html
> [3] https://github.com/w3c/hr-time/issues/4
> [4] http://arxiv.org/pdf/1502.07373v2.pdf
> [5] http://www.rowhammer.com/
> [6] https://github.com/gregnorc/ping-privacy-questions
> [7]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html
>


-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

CDT's annual dinner, Tech Prom, is April 6, 2016!
https://cdt.org/annual-dinner
Received on Thursday, 25 February 2016 13:14:28 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 25 February 2016 13:14:28 UTC