- From: Noam Rosenthal <notifications@github.com>
- Date: Tue, 25 Jun 2024 01:17:24 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/911/2188267490@github.com>
> @plinss and I looked at this today and it seems broadly acceptable. We have a few concerns here, but none of these really change our overall positive disposition. > > We observe that the spec claims that thresholding durations is an effective mitigation strategy for timing attacks. This is not correct. Thresholding only limits the rate at which information can be extracted. The specification rightly points out that these measurements are already possible, but claims this does not make things worse. This is also incorrect. Being able to measure multiple timing sources at the same time makes the rate of information extraction much higher. This is still probably a worthwhile trade-off overall, but please do not pretend like the risk has been eliminated. > > We also noted the [monekypatch of WebIDL](https://w3c.github.io/long-animation-frames/#webidl-monkey-patches), hopefully you're talking to the WebIDL folks to get those changes folded in and will be removing the monkeypatch. See [our guidance in this area](https://w3ctag.github.io/design-principles/#monkey-patching). Thanks for the review! Indeed the remaining WebIDL monkey patches are in process of being upstreamed (see https://github.com/whatwg/webidl/pull/1400). I will take your comments into account and make the S&P section of the spec more accurate to those points. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/911#issuecomment-2188267490 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/911/2188267490@github.com>
Received on Tuesday, 25 June 2024 08:17:28 UTC