Re: Security implications of network timing

On 10/4/2011 3:16 PM, Billy Hoffman wrote:
> The performance timing information in the new API has implications fat
> beyond Felton's classic work on browser or shared cache snooping. I
> see this facilitating some major advances in the JavaScript port
> scanning that myself, Robert Hanson, and Jeremiah Grossman explored in
> 2006.

I can see that angle but wouldn't the Timing-Allow-Origin requirement 
mitigate most if not all of that?  It basically nixes the domain lookup 
and connection information that would be useful... right?

For another vector, how about using the performance data to perform 
geolocation testing?  I'm being totally theoretical with no PoC to back 
this up but could the timing information help an attacker to better 
pinpoint coordinates more accurately than geolocation databases today? 
I'm assuming something like multilateration might be used, where the 
attacker controlled various receivers, thereby controlling the 
cross-origin restriction as well.  But then again the attacker might 
need quite a bunch of those receivers around, and in decent proximity to 
the victim, to do any good...


Received on Friday, 7 October 2011 03:51:43 UTC