- From: Tara Whalen <tjwhalen@gmail.com>
- Date: Thu, 25 Feb 2016 07:31:10 -0800
- To: Greg Norcie <norcie@cdt.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CA+T70AievubA5z7kL2HKxp0xx_-jOdX+G5R3iG45K5651-Qtbg@mail.gmail.com>
Hi Greg, Today's call agenda includes both those items: > 1. Welcome and introductions > 2. Web RTC 1.0 > 3. Vibration API > 4. Privacy questionnaire > 5. AOB (You are perhaps responding to the summary of the *previous* call?) --TW On Thu, Feb 25, 2016 at 7:24 AM, Greg Norcie <gnorcie@cdt.org> wrote: > Hi Tara, > > I thought the agenda would we would include both the WebRTC review and the > Vibration API review. I spent a lot of time on both, so I hope we can at > least briefly discuss them. > > Thanks for the help. > > /********************************************/ > Greg Norcie (norcie@cdt.org) > Staff Technologist > Center for Democracy & Technology > District of Columbia office > (p) 202-637-9800 > PGP: http://norcie.com/pgp.txt > > > > *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn > more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* > /*******************************************/ > > On Thu, Feb 25, 2016 at 1:55 AM, Tara Whalen <tjwhalen@gmail.com> wrote: > >> PING – informal chairs summary – 21 January 2016 >> >> Thank you to Todd Reifsteck, Philippe Le Hegaret, and Yoav Weiss from the >> Web Performance Working Group for joining our call. >> >> Thanks to Wendy Seltzer for acting as scribe. >> >> Our next call will be on 25 February 2016 at the usual time. >> >> * High Resolution Time Level 2 >> >> Philippe Le Hegaret from the Web Performance Working Group presented an >> overview of privacy considerations of High Resolution Time Level 2 [1]. In >> November, a request was sent to PING [2] for review. One issue that came up >> last year was that this specification could be used for timing attacks, as >> identified in research [3],[4]. Because of this issue, the WG was forced to >> reduce the accuracy of the timer. More recently, another attack was >> reported (with exploit not yet complete in JavaScript) [5]; discussion with >> a researcher indicated that even a more granular accuracy would be >> insufficient to stop it. >> Discussion of this issue focused on any potential mitigations; research >> indicates that even if timer accuracy is reduced, you can still use >> JavaScript data object. Nick Doty proposed it might be useful to talk to >> security experts about the risks (if any) of revealing memory addresses >> even if the JavaScript code can't execute natively on the machine. In terms >> of next steps, the WG is moving this to Candidate Recommendation in order >> to get version 2 out; Philippe notes that if there is progress in the >> Rowhammer attack, then they will re-open the question. >> >> * Privacy Questionnaire >> Greg Norcie notes that the questionnaire has been ported from the wiki to >> GitHub [6], and hopes that pull requests will be an effective channel for >> feedback. Greg also wants to send feedback to the TAG on their security >> questionnaire. Discussion suggested that it would be most helpful to use >> GitHub issue tracking, and to periodically review and update the >> questionnaire. >> >> * AOB >> Nick Doty notes that the TAG has feedback on the Fingerprinting Guidance >> document, which he will be discussing with them. In addition, the Web >> Performance WG has been working on Beacon, and Nick has opened some issues >> for discussion with them [7]. >> >> * Next call >> >> 25 February 2016 at UTC 17 >> >> Christine and Tara >> >> [1] http://www.w3.org/TR/hr-time-2/ >> [2] >> https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html >> [3] https://github.com/w3c/hr-time/issues/4 >> [4] http://arxiv.org/pdf/1502.07373v2.pdf >> [5] http://www.rowhammer.com/ >> [6] https://github.com/gregnorc/ping-privacy-questions >> [7] >> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0003.html >> > >
Received on Thursday, 25 February 2016 15:31:39 UTC