- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 9 Apr 2009 06:42:25 +0000 (UTC)
- To: Bil Corry <bil@corry.biz>
- Cc: public-webapps@w3.org
On Thu, 9 Apr 2009, Bil Corry wrote: > > For example, imagine instead you visit a malicious site, and it wants to > phish your banking credentials. But rather than choosing a random bank > and hoping you bank there, it instead launches a series of timing > attacks against the top 30 banks, determines which bank(s) you're logged > into, then tries phishing against the one you're logged into. > CORS-Origin can't help, but a robust Origin could. You could just do a timing attack against non-login-protected assets that are only shown while logged in, or even just do timing attacks against any cached resource from the site, to see if they visited it. Or heck, you could just do a regular :visited history probing attack to see which site they visited. If we wanted to protect against timing attacks like this I think we would need to just have the browser itself ensure all network traffic has unpredictable timing (and remove the visited URLs features). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 9 April 2009 06:43:07 UTC