Amazing new HTTPS exploit that uses browser javascript APIs (fetch + resource timing), no MITM needed:http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/ …
-
-
Replying to @bcrypt
seems like the simple solution is to change https://w3c.github.io/resource-timing/#cross-origin-resources … so that PerformanceResourceTiming responseEnd is empty when cross-origin
4 replies 8 retweets 30 likes -
Replying to @bcrypt
IMO the moral of the story is not that TLS compression is bad, it's that w3c specs need better security review
4 replies 27 retweets 67 likes -
Replying to @slightlylate @bcrypt
: also, in case anyone's curious, the "resolve on headers" behavior of fetch() is likely at least *partially* my doing.
1 reply 0 retweets 3 likes -
I don't see the attack details but if resource timing gives cross origin information that does seem bad.
1 reply 0 retweets 0 likes -
Replying to @domenic @slightlylate and
has anyone seen an explanation for why this is a problem specific to Fetch and not to XHR?
1 reply 0 retweets 0 likes -
: fetch() promise resolves when headers are available, which wasn't so easily visible before (I presume).
1 reply 0 retweets 0 likes
: that said, I suspect that was knowable in a probabilistic way previously.
-
-
hmm I am pretty sure XHR does a readyStateChange at that point.
2 replies 0 retweets 2 likes - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.