- From: Daniel Murphy <notifications@github.com>
- Date: Thu, 19 Aug 2021 11:16:34 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 19 August 2021 18:16:46 UTC
> An attacker will likely not have to search its entire user space. We have to assume that 1) the attacker knows exactly which users it hasn’t heard from in a certain time window, 2) the attacker will be able to bucketize its user space on device info, and 3) any fingerprinting available such as IP address, time zone, language settings, and user agent information can be used to further shard the user space. So I guess these attacks can simplify probably to "The attacker would be able to make 1 guess a day at the id". There could be further mitigations around "if the origin association file or manifest file update X days in a row, increase update time" etc. But I guess the first question would be - is 1 guess a day too fast? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/pull/988#issuecomment-902136026
Received on Thursday, 19 August 2021 18:16:46 UTC