- From: Alexey Proskuryakov <ap@webkit.org>
- Date: Fri, 20 Mar 2009 15:21:17 +0300
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
20.03.2009, Χ 1:52, Jonas Sicking ΞΑΠΙΣΑΜ(Α): > I don't know how easy it is with current technologies to do this > reliably. Or how big chances are that we can fix those technologies in > the future to not work at all, or at least be less reliable. > > If you have that information I can try to bring a case for security > review here. The examples Ian gave all seem reliable to me. Besides, I think that my example with timing of POST requests is quite reliable. It has been repeatedly shown that timing-related checks are incredibly powerful - see e.g. <http://www.daemonology.net/hyperthreading-considered-harmful/ >. A possible counter-argument is that there is more than simple port scanning that we should worry about - with sufficient out of band information, it could be possible to precisely detect operating systems and services on the internal network, see <http://nmap.org/book/osdetect.html >. I doubt that upload progress events provide much above upload timing in this regard, but it might be that they do. - WBR, Alexey Proskuryakov
Received on Friday, 20 March 2009 12:21:54 UTC