Amazing new HTTPS exploit that uses browser javascript APIs (fetch + resource timing), no MITM needed:http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/ …
-
-
I don't see the attack details but if resource timing gives cross origin information that does seem bad.
-
has anyone seen an explanation for why this is a problem specific to Fetch and not to XHR?
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.