Issue metadata
Sign in to add a comment
|
Security: browser history sniffing via timing attack
Reported by
jackwill...@gmail.com,
Aug 1 2017
|
||||||||||||||||||||||
Issue descriptionI see the fix was incomplete for issue bug 625945 . Please follow the steps listed below. Chrome Version: Stable 60.0.3112.78 Operating System: Windows REPRODUCTION CASE 1: Download the attached file. 2: Then open http://www.chase.com/. 3: You should see that http://www.chase.com is visited.
,
Aug 1 2017
,
Aug 8 2017
This repros, albeit somewhat unreliably. The fix in Issue 544765 was to ensure that CSP requiring HTTP could not block HTTPS requests (https://www.chromestatus.com/feature/6653486812889088). That change remains effective and you can see by running this repro that no requests are blocked by CSP. Removing the "Step 1" section of the code (which attempts to use CSP), shows the same rate of repro. The repro is thus just using a cache timing attack to try to infer whether the target page happens to be in the cache. As noted in comment #19 on that issue, "This won't fix variants of the attack that rely on cache timing, but it removes the trivial DOM event that the PoC relied on for 100% accuracy." Unfortunately, breaking cache timing attacks is not generally practical without severely impairing the performance of the web platform.
,
Nov 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 1 2017Labels: Security_Severity-Low Security_Impact-Stable