Re: PING – informal chairs summary – 21 January 2016

Hi Tara,

I thought the agenda would we would include both the WebRTC review and the
Vibration API review. I spent a lot of time on both, so I hope we can at
least briefly discuss them.

Thanks for the help.

/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt



*CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>*
/*******************************************/

On Thu, Feb 25, 2016 at 1:55 AM, Tara Whalen <tjwhalen@gmail.com> wrote:

> PING – informal chairs summary –  21 January 2016
>
> Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the
> Web Performance Working Group for joining our call.
>
> Thanks to Wendy Seltzer for acting as scribe.
>
> Our next call will be on 25 February 2016 at the usual time.
>
> * High Resolution Time Level 2
>
> Philippe Le Hegaret from the Web Performance Working Group presented an
> overview of privacy considerations of High Resolution Time Level 2 [1]. In
> November, a request was sent to PING [2] for review. One issue that came up
> last year was that this specification could be used for timing attacks, as
> identified in research [3],[4]. Because of this issue, the WG was forced to
> reduce the accuracy of the timer. More recently, another attack was
> reported (with exploit not yet complete in JavaScript) [5]; discussion with
> a researcher indicated that even a more granular accuracy would be
> insufficient to stop it.
> Discussion of this issue focused on any potential mitigations; research
> indicates that even if timer accuracy is reduced, you can still use
> JavaScript data object. Nick Doty proposed it might be useful to talk to
> security experts about the risks (if any) of revealing memory addresses
> even if the JavaScript code can't execute natively on the machine. In terms
> of next steps, the WG is moving this to Candidate Recommendation in order
> to get version 2 out; Philippe notes that if there is progress in the
> Rowhammer attack, then they will re-open the question.
>
> * Privacy Questionnaire
> Greg Norcie notes that the questionnaire has been ported from the wiki to
> GitHub [6], and hopes that pull requests will be an effective channel for
> feedback. Greg also wants to send feedback to the TAG on their security
> questionnaire. Discussion suggested that it would be most helpful to use
> GitHub issue tracking, and to periodically review and update the
> questionnaire.
>
> * AOB
> Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance
> document, which he will be discussing with them. In addition, the Web
> Performance WG has been working on Beacon, and Nick has opened some issues
> for discussion with them [7].
>
> * Next call
>
> 25 February 2016 at UTC 17
>
> Christine and Tara
>
> [1] http://www.w3.org/TR/hr-time-2/
> [2]
> https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html
> [3] https://github.com/w3c/hr-time/issues/4
> [4] http://arxiv.org/pdf/1502.07373v2.pdf
> [5] http://www.rowhammer.com/
> [6] https://github.com/gregnorc/ping-privacy-questions
> [7]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html
>

Received on Thursday, 25 February 2016 15:25:00 UTC