New side channel attack via CSS3 feature "mix-blend-mode"

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
LigH1L
Fanatic
Fanatic
Posts: 121
Joined: 2013-02-22, 19:08
Location: rural central Germany

New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by LigH1L » 2018-05-31, 19:56

I only heard about a newly found security risk to spy on IFRAME content; Firefox and Chrome are known to be vulnerable.

Evonide Security Research: Side-channel attacking browsers through CSS3 features

Not to cause panic, just to have it mentioned. Maybe you can imagine a strategy in case your render engine is affected too.

The description sounds like it depends delicately on timings in transparency calculations.
Last edited by LigH1L on 2018-05-31, 19:59, edited 2 times in total.
Fun and success!

User avatar
ketmar
Lunatic
Lunatic
Posts: 369
Joined: 2015-07-28, 11:10
Location: Earth

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by ketmar » 2018-06-01, 11:40

no SmartName? no dedicated site? meh, that's not how it is done these days!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by Moonchild » 2018-06-01, 13:01

As far as I've seen, none of these pixel stealing attacks work on Pale Moon, and "just in case" some DiD measures were put in place months ago. Combine that with a cautious approach to performance timers and it's at most impractical, but more likely just never works.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
LigH1L
Fanatic
Fanatic
Posts: 121
Joined: 2013-02-22, 19:08
Location: rural central Germany

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by LigH1L » 2018-06-01, 13:22

I hoped to hear that. Thank you. :thumbup:
Fun and success!

Locked