Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a list of potential mitigations to timing attacks #68

Merged
merged 3 commits into from
May 9, 2019
Merged

Added a list of potential mitigations to timing attacks #68

merged 3 commits into from
May 9, 2019

Conversation

yoavweiss
Copy link
Contributor

@yoavweiss yoavweiss commented May 6, 2019
edited by pr-preview bot
Loading

Based on @tomrittervg's comment.
Closes #67

Preview | Diff

@yoavweiss
Copy link
Contributor Author

/cc @tomrittervg - can't add you to reviewer list...

tomrittervg
tomrittervg reviewed May 6, 2019
View reviewed changes
Copy link

@tomrittervg tomrittervg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, cache attacks
and statistical fingerprinting is a privacy and security concern where a
and statistical fingerprinting is a privacy and security concern where a
malicious web site may use high resolution timing data of various browser
malicious web site may use high resolution timing data of various browser
or application-initiated operations to differentiate between subset of
or application-initiated operations to differentiate between subset of
users, and in some cases identify a particular user - see
users, and in some cases identify a particular user - see
[[?CACHE-ATTACKS]].

I think we could go further here: it's not just fingerprinting that's a concern here; it's also user data such as browsing history, user activity, and private data include all data resident in the browser process (Spectre).

Otherwise, the changes LGTM.

igrigorik
igrigorik reviewed May 7, 2019
View reviewed changes
Copy link
Member

@igrigorik igrigorik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, modulo comment on linking to the issue tracking how different browsers have chosen to address spectre implications?

index.html Show resolved Hide resolved
tomrittervg
tomrittervg reviewed May 7, 2019
View reviewed changes
index.html Outdated Show resolved Hide resolved
@yoavweiss
Copy link
Contributor Author

@igrigorik - PTAL

igrigorik
igrigorik approved these changes May 9, 2019
View reviewed changes
Copy link
Member

@igrigorik igrigorik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@yoavweiss yoavweiss merged commit c0bcbc2 into w3c:gh-pages May 9, 2019
@yoavweiss yoavweiss deleted the mitigation_list branch May 9, 2019 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomrittervg tomrittervg tomrittervg left review comments

@igrigorik igrigorik igrigorik approved these changes

@plehegar plehegar Awaiting requested review from plehegar

@toddreifsteck toddreifsteck Awaiting requested review from toddreifsteck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add mitigation list to security & privacy section
3 participants
@yoavweiss @igrigorik @tomrittervg