- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Wed, 26 Feb 2014 11:15:50 +0100
- To: Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>
- CC: Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Eduardo' Vela <evn@google.com>
On 25-Feb-14 22:13, Daniel Veditz wrote: >> For services such as gmail and hotmail, the login happens on a >> different domain than the service. This is an extremely common setup, >> including on high value targets > > This is NOT common, but unfortunately it is used on some high-traffic > (likely high value) domains. Websites which have one login, and multiple subdomains IS extremely common. I consider this fortunate, and good security practice. > You can't make everything equally fast so you must make things equally > slow, and these days browsers are competing in part on speed. There's > no way Mike (Google) or I (Mozilla) could sell that to our respective > browser engine teams. I think we have uncovered a misunderstanding here. Browsers should definitely not slow down, and browsers should not protect websites from timing attacks. Browsers need to support websites protecting themselves though, and not purposefully hand over private information to third party websites. I fully agree that any suggestion that browsers should do things more slowly would be a non-starter. -- Sigbjørn Vik Opera Software
Received on Wednesday, 26 February 2014 10:16:21 UTC