New side channel attack via CSS3 feature "mix-blend-mode"

Suggestions and feature requests for the Pale Moon browser

Moderator: satrow

LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by LigH1L » 2018-05-31, 19:56

I only heard about a newly found security risk to spy on IFRAME content; Firefox and Chrome are known to be vulnerable.

Evonide Security Research: Side-channel attacking browsers through CSS3 features

Not to cause panic, just to have it mentioned. Maybe you can imagine a strategy in case your render engine is affected too.

The description sounds like it depends delicately on timings in transparency calculations.
Last edited by LigH1L on 2018-05-31, 19:59, edited 2 times in total.

User avatar
ketmar
Lunatic
Lunatic
Posts: 359
Joined: 2015-07-28, 11:10
Location: Earth

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by ketmar » 2018-06-01, 11:40

no SmartName? no dedicated site? meh, that's not how it is done these days!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23944
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by Moonchild » 2018-06-01, 13:01

As far as I've seen, none of these pixel stealing attacks work on Pale Moon, and "just in case" some DiD measures were put in place months ago. Combine that with a cautious approach to performance timers and it's at most impractical, but more likely just never works.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

Re: New side channel attack via CSS3 feature "mix-blend-mode"

Unread post by LigH1L » 2018-06-01, 13:22

I hoped to hear that. Thank you. :thumbup:

Locked