tomayac
commented
4 years ago We do mention this attack in the article, with fuzzing being listed as a mitigation that user agents can add.
Closed martinthomson closed 3 years ago
tomayac
commented
4 years ago We do mention this attack in the article, with fuzzing being listed as a mitigation that user agents can add.
martinthomson
commented
3 years ago I'm sorry, that link doesn't work.
In either case, it's the specification that matters.
I'm skeptical about the value of fuzzing (by which I presume that you mean adding a random delay).
reillyeon
commented
3 years ago I'm sorry, that link doesn't work.
This comment is off-topic and passive aggressive.
I'm skeptical about the value of fuzzing (by which I presume that you mean adding a random delay).
That was our conclusion as well. We spent a long time trying to develop a fuzzing scheme that was rigorously defensible and failed which is why the current design uses a permission instead. @tomayac, I'm sorry I didn't notice this reference to the earlier design in the article during review.
In §3.1. Cross-origin information leakage I address the possibility of correlating users using the state exposed by this API but don't call it out explicitly as being a timing-based attack. I will update this section to describe the potential attack more precisely.
Sora2455
commented
3 years ago @reillyeon So does the permission check replace the fuzzing? Two origins that have the permission probobly shouldn't be able to ccoordinate to cross-orign either. Or are we relying on users not granting the permission to malicious domains?
tomayac
commented
3 years ago I'm sorry, that link doesn't work.
☮️ Try this link instead.
In either case, it's the specification that matters.
Agreed, Reilly is on it. Updated the article now.
reillyeon
commented
3 years ago So does the permission check replace the fuzzing?
Yes.
Two origins that have the permission probobly shouldn't be able to ccoordinate to cross-orign either. Or are we relying on users not granting the permission to malicious domains?
We are relying on browsers to explain the privacy/functionality trade-off that this permission implies and to implement mitigations that prevent sites from spamming users with requests for this and other permissions.
reillyeon
commented
3 years ago I've updated the section above to explicitly describe the timing aspect of the attack.
Two origins with 'idle-detection' permission will receive an event at approximately the same time. This allows an adversary with access to both origins the ability to identify the two as being the same browser with high probability. This was the basis of the attacks on the battery status API.
This is not mentioned in #29, but probably should be. The usual defenses we deploy here is to defer the event until the window gains focus, which is not going to work in this case.