- From: Tony Gentilcore <tonyg@chromium.org>
- Date: Tue, 4 Oct 2011 12:54:27 +0100
- To: public-web-security@w3.org
Hi Security Gurus, The Resource Timing[1] specification has just entered last call phase. It provides network timing details for each subresource loaded by a page, to wit, the HTTP redirect, DNS, TCP connect, HTTP request and HTTP response phases. We suspected that exposing this additional detail could improve the effectiveness of timing attacks like those described by Felten and Schneider[2]. So we have speculatively guarded these times with a same-origin restriction. But even with the same-origin restriction, other folks have speculated[3] these times could be used to improve the effectiveness of statistical fingerprinting. At the same time, developers who want to use the feature are concerned that the same-origin restriction is too crippling for their use-cases. So, we'd like to take a step back and develop a list of novel attacks that could be enabled by exposing network timing. Then we can put in the proper set of restrictions to prevent them. The problem is that none of the web performance working group participants have expertise in security or privacy. Are there folks in this group who would be willing to help us generate a list of novel attacks that could be exposed by network timing? Thank you, Web Performance Working Group [1] http://w3c-test.org/webperf/specs/ResourceTiming/ [2] http://sip.cs.princeton.edu/pub/webtiming.pdf [3] http://lists.w3.org/Archives/Public/public-web-perf/2011May/0102.html
Received on Tuesday, 4 October 2011 11:55:24 UTC