Re: PING – informal chairs summary – 21 January 2016

Hi Tara,

I thought the agenda would we would include both the WebRTC review and the
Vibration API review. I spent a lot of time on both, so I hope we can at
least briefly discuss them.

Thanks for the help.

Greg Norcie (
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800

*CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
more at <>*

On Thu, Feb 25, 2016 at 1:55 AM, Tara Whalen <> wrote:

> PING – informal chairs summary –  21 January 2016
> Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the
> Web Performance Working Group for joining our call.
> Thanks to Wendy Seltzer for acting as scribe.
> Our next call will be on 25 February 2016 at the usual time.
> * High Resolution Time Level 2
> Philippe Le Hegaret from the Web Performance Working Group presented an
> overview of privacy considerations of High Resolution Time Level 2 [1]. In
> November, a request was sent to PING [2] for review. One issue that came up
> last year was that this specification could be used for timing attacks, as
> identified in research [3],[4]. Because of this issue, the WG was forced to
> reduce the accuracy of the timer. More recently, another attack was
> reported (with exploit not yet complete in JavaScript) [5]; discussion with
> a researcher indicated that even a more granular accuracy would be
> insufficient to stop it.
> Discussion of this issue focused on any potential mitigations; research
> indicates that even if timer accuracy is reduced, you can still use
> JavaScript data object. Nick Doty proposed it might be useful to talk to
> security experts about the risks (if any) of revealing memory addresses
> even if the JavaScript code can't execute natively on the machine. In terms
> of next steps, the WG is moving this to Candidate Recommendation in order
> to get version 2 out; Philippe notes that if there is progress in the
> Rowhammer attack, then they will re-open the question.
> * Privacy Questionnaire
> Greg Norcie notes that the questionnaire has been ported from the wiki to
> GitHub [6], and hopes that pull requests will be an effective channel for
> feedback. Greg also wants to send feedback to the TAG on their security
> questionnaire. Discussion suggested that it would be most helpful to use
> GitHub issue tracking, and to periodically review and update the
> questionnaire.
> * AOB
> Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance
> document, which he will be discussing with them. In addition, the Web
> Performance WG has been working on Beacon, and Nick has opened some issues
> for discussion with them [7].
> * Next call
> 25 February 2016 at UTC 17
> Christine and Tara
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]
> [7]

Received on Thursday, 25 February 2016 15:25:00 UTC