"Spy in the Sandbox" - Security issue related to High Resolution Time API

Hello everybody,

My name is Yossi and I’m a post-doc at Columbia University’s Network Security Lab. We’ve recently published a report describing a new Javascript-based network attack. Our attack lets a malicious website learn a surprising amount of personal information about an innocent user, and is largely based upon repeated calls to performance.now() as a measurement method.  We have a proof-of-concept demo for this attack which I can share off-list with relevant stakeholders.  A draft report is also available online here:
http://arxiv.org/abs/1502.07373 <http://arxiv.org/abs/1502.07373>

From our testing it is very apparent that somewhat reducing the resolution of performance.now() will make the attack much more difficult. We noticed that various browser vendors implement the call with different precisions, with Firefox for Linux and MacOS going down to the single nanosecond. Our attack as described becomes very difficult to launch once the resolution of performance.now() is upper-bounded to 5 thousandths of a millisecond.  

I would like to suggest that you change the spec to recommend this countermeasure.  In your opinion, does this modification incur too much of a usability loss (to games, music, VR, etc)?  


Received on Thursday, 28 May 2015 20:51:33 UTC