[css-shaders] security - timing attacks from Gregg Tavares (wrk) on 2011-10-18 (www-style@w3.org from October 2011)

From: Gregg Tavares (wrk) <gman@google.com>
Date: Tue, 18 Oct 2011 10:11:31 -0700
To: www-style list <www-style@w3.org>
Message-ID: <CAKZ+BNpcDpRoqMpzTYS1aFa8YbbM2EQ9-_Ui4hyQBoFUfNj71w@mail.gmail.com>

Don't CSS shaders end up exposing the same timing attacks for reading images
that WebGL used to before CORS support was added?

Basically, build a shader that takes more time depending on the pixels. Use
requestAnimationFrame to time how long compositing took, adjust until you
overflow a frame. You can now read pixels.

Received on Tuesday, 18 October 2011 17:11:55 UTC