- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 25 Feb 2014 13:13:56 -0800
- To: Sigbjørn Vik <sigbjorn@opera.com>, Mike West <mkwst@google.com>
- CC: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Eduardo' Vela <evn@google.com>
On 2/25/2014 7:01 AM, Sigbjørn Vik wrote: > For services such as gmail and hotmail, the login happens on a > different domain than the service. This is an extremely common setup, > including on high value targets This is NOT common, but unfortunately it is used on some high-traffic (likely high value) domains. > Personally, I consider any solution which instantly reveals logged-in > status on such services to be a security flaw, and a non-starter. Logged-in status is almost certainly a lost cause on the web but it would be nice if we could avoid making the problem worse. Leaking identifiable information with paths (user names, OAuth tokens, etc) _is_ a new attack and we must absolutely not do that. > Timing attacks are generally protected against by ensuring > operations take equally long regardless of the input. You can't make everything equally fast so you must make things equally slow, and these days browsers are competing in part on speed. There's no way Mike (Google) or I (Mozilla) could sell that to our respective browser engine teams. Not unless the citizens of the web rise up and demand it--and I mean lots and lots of them, not just a few of our fellow paranoids. As an instructive example look how long it took to get the CSS :visited history-sniffing issue fixed, and it was basically the same kind of leakage. > Timing attacks on logged-in vs not-logged-in pages are currently not > considered very serious in general. It depends on heuristics, many > retries, and is susceptible to failure due to e.g. noise, background > processes, user location, etc. An attack requires close statistical > studies of the target first, and must be updated whenever the target > changes. I agree with your first sentence--people in general don't seem too worked up about the various demonstrations that have been made. I disagree that current state of the art login detection is unreliable. It's not perfect, but it's pretty damn good. -Dan Veditz
Received on Tuesday, 25 February 2014 21:14:14 UTC