Re: Cross-Origin Restrictions from Tony Gentilcore on 2011-09-29 (public-web-perf@w3.org from September 2011)

From: Tony Gentilcore <tonyg@google.com>
Date: Fri, 30 Sep 2011 00:15:34 +0100
To: Jatinder Mann <jmann@microsoft.com>
Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <CANvLf_GryHBhBmbOm1D-vuWHcsnXh9xdq5x1qPLN3puCDOvtFw@mail.gmail.com>

Thanks for the reminder and sorry for the delay. I think this is the
information we want to convey. Do you want to do any tweaking and send
then it out? I'm also happy to mail it on our behalf if you think it
is good to go.

-Tony

---------

Hi Security Gurus,

The Resource Timing[1] specific has just entered last call phase. It
provides network timing details for each subresource loaded by a page,
to wit, the HTTP redirect, DNS, TCP connect, HTTP request and HTTP
response phases.

We suspect that exposing this additional detail could improve the
effectiveness of timing attacks like those described by Felten and
Schneider[2]. So we have speculatively guarded these times with a
same-origin restriction.

But even with the same-origin restriction, other folks have
speculated[3] these times could be used to improve the effectiveness
of statistical fingerprinting. At the same time, developers who want
to use the specification are concerned that the same-origin
restriction is too crippling for their use-cases.

So, we'd like to take a step back and develop a list of novel attacks
that could be enabled by exposing network timing. Then we can put in
the proper set of restrictions to prevent them. The problem is that
none of the working group participants have expertise in security or
privacy. Would you be willing to help us compile such a list?

Thank you,
Web Performance Working Group

[1] http://w3c-test.org/webperf/specs/ResourceTiming/
[2] http://sip.cs.princeton.edu/pub/webtiming.pdf
[3] http://lists.w3.org/Archives/Public/public-web-perf/2011May/0102.html

On Wed, Sep 28, 2011 at 1:40 AM, Jatinder Mann <jmann@microsoft.com> wrote:
> Tony,
>
>
>
> In a previous conference call, we had discussed drafting an email to share
> and get feedback from security and privacy experts on statistical
> fingerprinting concerns. Once you have that mail drafted, we can begin
> soliciting feedback and close this remaining open item on the Timing specs.
> Do you have an idea of when you think you can have that ready by?
>
>
>
> Thanks!
>
> Jatinder
>
>
>
> Per [minutes] 20110914 Web Performance WG Teleconference #49:
>
>
>
> Cross-Origin Restrictions
>
> There has been an open issue in the working group to verify with security
> and privacy experts on our current security and privacy features. There are
> both concerns that we may be too restrictive or not restrictive enough. In
> order to resolve these issues, we will follow up with security and privacy
> experts both internally and on the W3C mailing lists. Tony has an action
> item (ACTION-50) to draft a mail describing our scenario that can then be
> circulated to the various experts.
>
>

Received on Thursday, 29 September 2011 23:17:22 UTC