Re: Security implications of network timing

> For another vector, how about using the performance data to perform
> geolocation testing?  I'm being totally theoretical with no PoC to back this
> up but could the timing information help an attacker to better pinpoint
> coordinates more accurately than geolocation databases today? I'm assuming
> something like multilateration might be used, where the attacker controlled
> various receivers, thereby controlling the cross-origin restriction as well.

The attacker controlling several servers can already measure RTTs (and
the number of hops, and many other parameters) very accurately simply
by benchmarking HTTP connections.

FWIW, I looked at this before, and I would be somewhat surprised if
the API has any privacy consequences that extend beyond the current
timing capabilities available to JavaScript and malicious servers. I
suspect the key reason why it makes people uncomfortable is its
explicit nature; and the fact that its introduction will essentially
burn any bridges should we want to mitigate timing vectors in the
future. Which may be a legit concern, though I don't see such
mitigations happening soon.


Received on Friday, 7 October 2011 04:17:01 UTC