Amazing new HTTPS exploit that uses browser javascript APIs (fetch + resource timing), no MITM needed:http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/ …
: fetch() promise resolves when headers are available, which wasn't so easily visible before (I presume).
-
-
: that said, I suspect that was knowable in a probabilistic way previously.
-
hmm I am pretty sure XHR does a readyStateChange at that point.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.