Specify what kind of attacks are considered and addressed
pes10k opened this issue · 2 comments
This issue is being filed as part of the requested PING review and was broken off from this previous issue
The section mentions "timing attacks", but this is a very broad term. The text here would be more useful if the text was more precise: what kinds of attacks / timing issues are the authors concerned with and guarding against. My read from the text is that the section is most concerned with different sites observing the same event at the same time, and using that to link browsing contexts. There are other kinds of attacks that requiring timing information to conduct though (e.g., using timing signals to create a side/covert channel). In general, the text here would be improved by being more precise about what kinds of attacks are considered and addressed.
@pes10k thanks for the proposal. I'm supportive of adding an informative section to document known attacks/threats followed by mitigations section that maps to the threats. This would be content that informatively summarizes the attacks/threats and their mitigations and complements the normative spec algorithms that incorporate these mitigations.
To get an idea how to structure this, we could section this similarly to what was done for sensors: types of privacy and security threats followed by mitigation strategies. (Another example from a slightly different area is the register of risks and mitigations we started as part of the Ethical Principles for Web Machine Learning effort.)
Re preciseness, let me come up with a hand-wavy proposal to get your feedback on the appropriate level of detail. Let's call this one "pressure-monitoring attack":
Pressure-monitoring attack is a theoretical side-channel attack that makes use of the uniqueness of the pressure state pattern (e.g. "serious" → "critical" → "nominal") that can be formed when a specific workload is executed on a specific system. In this theoretical attack, two co-operating websites A and B execute the same workload and attempt to correlate the two state patterns formed to identify whether the same system is used to visit both the websites. This attack requires the website A and B to be able to exchange messages, for example, by means of cross-document messaging. The attack also requires an environment void of disturbances that do not alter the pressure state during the execution of the specific workload.
If this format resonates I can start a PR to reorganize the security and privacy considerations accordingly and the editors can them start to fill in the blanks if any.