- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Thu, 6 Oct 2011 21:16:04 -0700
- To: Chris Weber <chris@lookout.net>
- Cc: Billy Hoffman <billy@zoompf.com>, Tony Gentilcore <tonyg@chromium.org>, public-web-security@w3.org
> For another vector, how about using the performance data to perform > geolocation testing? I'm being totally theoretical with no PoC to back this > up but could the timing information help an attacker to better pinpoint > coordinates more accurately than geolocation databases today? I'm assuming > something like multilateration might be used, where the attacker controlled > various receivers, thereby controlling the cross-origin restriction as well. The attacker controlling several servers can already measure RTTs (and the number of hops, and many other parameters) very accurately simply by benchmarking HTTP connections. FWIW, I looked at this before, and I would be somewhat surprised if the API has any privacy consequences that extend beyond the current timing capabilities available to JavaScript and malicious servers. I suspect the key reason why it makes people uncomfortable is its explicit nature; and the fact that its introduction will essentially burn any bridges should we want to mitigate timing vectors in the future. Which may be a legit concern, though I don't see such mitigations happening soon. /mz
Received on Friday, 7 October 2011 04:17:01 UTC