- From: Bil Corry <bil@corry.biz>
- Date: Thu, 09 Apr 2009 10:48:20 -0500
- To: Ian Hickson <ian@hixie.ch>
- CC: public-webapps@w3.org
Ian Hickson wrote on 4/9/2009 1:42 AM: > On Thu, 9 Apr 2009, Bil Corry wrote: >> For example, imagine instead you visit a malicious site, and it wants to >> phish your banking credentials. But rather than choosing a random bank >> and hoping you bank there, it instead launches a series of timing >> attacks against the top 30 banks, determines which bank(s) you're logged >> into, then tries phishing against the one you're logged into. >> CORS-Origin can't help, but a robust Origin could. > > You could just do a timing attack against non-login-protected assets that > are only shown while logged in, or even just do timing attacks against any > cached resource from the site, to see if they visited it. Or heck, you > could just do a regular :visited history probing attack to see which site > they visited. If we wanted to protect against timing attacks like this > I think we would need to just have the browser itself ensure all network > traffic has unpredictable timing (and remove the visited URLs features). My point is that a robust Origin moves us closer to better security controls, perhaps not all the way, but certainly much closer than CORS-Origin gets us. - Bil
Received on Thursday, 9 April 2009 15:49:07 UTC