- From: Adam Rice <notifications@github.com>
- Date: Wed, 26 May 2021 10:52:20 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1243/848992822@github.com>
Here's a hypothetical privacy attack on a non-partitioned side-table:
1. a.com and b.com embed evil.com
2. On loading, evil.com attempts to probe its current "throttle cookie". If the probe fails, it attempts to set a random "throttle cookie" instead. In both cases, the "throttle cookie" is communicated back to evil.com to correlate the loads.
3. Setting a "throttle cookie" works as follows:
1. Choose a random non-empty subset of ws0.evil.com to ws31.evil.com
2. Connect repeatedly to ws://wsX.evil.com/set, making sure there are always at least two handshake attempts pending
3. The servers at wsX.evil.com are configured to wait 2 seconds before responding to the handshake when they see a connection to the /set endpoint
4. Probing a "throttle cookie" works as follows:
1. Attempt to connect to all of ws0.evil.com to ws31.evil.com, using the endpoint ws://wsX.evil.com/probe
2. The servers always respond immediately to the /probe endpoint.
3. Time how long the handshakes take
4. Consider a handshake that took >= 2 seconds to be in the set, and < 2 seconds to not be in the set.
This permits evil.com to associate the two sessions. Is this a privacy attack we need to worry about?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1243#issuecomment-848992822
Received on Wednesday, 26 May 2021 17:52:33 UTC