- From: Greg Norcie <gnorcie@cdt.org>
- Date: Thu, 25 Feb 2016 10:24:12 -0500
- To: Tara Whalen <tjwhalen@gmail.com>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAMJgV7aOG8JfJC2w-8My5pznDNdRvo83w8y8rqURv8NheQsTrg@mail.gmail.com>
Hi Tara, I thought the agenda would we would include both the WebRTC review and the Vibration API review. I spent a lot of time on both, so I hope we can at least briefly discuss them. Thanks for the help. /********************************************/ Greg Norcie (norcie@cdt.org) Staff Technologist Center for Democracy & Technology District of Columbia office (p) 202-637-9800 PGP: http://norcie.com/pgp.txt *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* /*******************************************/ On Thu, Feb 25, 2016 at 1:55 AM, Tara Whalen <tjwhalen@gmail.com> wrote: > PING – informal chairs summary – 21 January 2016 > > Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the > Web Performance Working Group for joining our call. > > Thanks to Wendy Seltzer for acting as scribe. > > Our next call will be on 25 February 2016 at the usual time. > > * High Resolution Time Level 2 > > Philippe Le Hegaret from the Web Performance Working Group presented an > overview of privacy considerations of High Resolution Time Level 2 [1]. In > November, a request was sent to PING [2] for review. One issue that came up > last year was that this specification could be used for timing attacks, as > identified in research [3],[4]. Because of this issue, the WG was forced to > reduce the accuracy of the timer. More recently, another attack was > reported (with exploit not yet complete in JavaScript) [5]; discussion with > a researcher indicated that even a more granular accuracy would be > insufficient to stop it. > Discussion of this issue focused on any potential mitigations; research > indicates that even if timer accuracy is reduced, you can still use > JavaScript data object. Nick Doty proposed it might be useful to talk to > security experts about the risks (if any) of revealing memory addresses > even if the JavaScript code can't execute natively on the machine. In terms > of next steps, the WG is moving this to Candidate Recommendation in order > to get version 2 out; Philippe notes that if there is progress in the > Rowhammer attack, then they will re-open the question. > > * Privacy Questionnaire > Greg Norcie notes that the questionnaire has been ported from the wiki to > GitHub [6], and hopes that pull requests will be an effective channel for > feedback. Greg also wants to send feedback to the TAG on their security > questionnaire. Discussion suggested that it would be most helpful to use > GitHub issue tracking, and to periodically review and update the > questionnaire. > > * AOB > Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance > document, which he will be discussing with them. In addition, the Web > Performance WG has been working on Beacon, and Nick has opened some issues > for discussion with them [7]. > > * Next call > > 25 February 2016 at UTC 17 > > Christine and Tara > > [1] http://www.w3.org/TR/hr-time-2/ > [2] > https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html > [3] https://github.com/w3c/hr-time/issues/4 > [4] http://arxiv.org/pdf/1502.07373v2.pdf > [5] http://www.rowhammer.com/ > [6] https://github.com/gregnorc/ping-privacy-questions > [7] > https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html >
Received on Thursday, 25 February 2016 15:25:00 UTC