On April 1st, I spoke at the very first Fronteers Spring Conference
. The theme of the whole conference was performance
. For my presentation, I decided to try something a little bit different: instead of talking about techniques that lead to better client-side performance, I focused on security-sensitive situations in which performance can actually be a bug
rather than a feature.
Check out the video below. The slides are available too.
The Q&A session after the talk was recorded as well.
The presentation walks through what timing attacks
are, explains how they can occur on the web through client-side code, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact. To get the point across, I showcased some brilliant research by Yan Zhu
and Tom Van Goethem
To me, this stuff is extremely interesting on a technical level. It’s also a little scary, however, to realize that malicious actors can use these techniques to invade your privacy while you’re browsing the web, without you ever knowing. Embedded third-party advertisements could be running timing attacks in the background, leaking pieces of private info (such as age, gender, location), which in turn enables them to serve you more targeted advertisements, fingerprint and track you across the web, or even de-anonymize you completely.
The sad news is that, as a web developer, there’s no obvious way to prevent this type of attack. End users should consider using a content blocker (not just an ad blocker) in their browser.