- From: Eric Rescorla <ekr@rtfm.com>
- Date: Mon, 21 May 2012 11:10:36 -0700
- To: Wendy Seltzer <wseltzer@w3.org>
- Cc: Jarred Nicholls <jarred@webkit.org>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, May 21, 2012 at 9:34 AM, Wendy Seltzer <wseltzer@w3.org> wrote: > On 05/15/2012 12:10 PM, Jarred Nicholls wrote: >> On Tue, May 15, 2012 at 10:59 AM, GALINDO Virginie < >> Virginie.GALINDO@gemalto.com> wrote: >> >>> Dear all, >>> >>> Some people mentioned that a webapp may be able to discover the algorithms >>> supported the environment it is running in, thus identifying algorithms >>> available thanks to the Web Crypto API. There are several means to do that >>> (1) either by an actual discovery mechanism sending back the entire list of >>> algorithms, > > I'd like to hear a bit about the fingerprinting possibilities that a > discovery mechanism opens up. Inspecting the browser's crypto > properties could introduce privacy and security concerns. > My intuition is that this battle is already lost, especially as algorithm fingerprinting (as opposed to key discovery) probably doesn't leak that much information about the hardware platform. Compare to, for instance: http://cseweb.ucsd.edu/~kmowery/papers/html5-fingerprint.pdf -Ekr -Ekr
Received on Monday, 21 May 2012 18:12:09 UTC