Any update on this Jonas?
On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <[email protected]>
wrote:
20.03.2009, в 1:52, Jonas Sicking написал(а):
I don't know how easy it is with current technologies to do this
reliably. Or how big chances are that we can fix those technologies in
the future to not work at all, or at least be less reliable.
If you have that information I can try to bring a case for security
review here.
The examples Ian gave all seem reliable to me.
Besides, I think that my example with timing of POST requests is quite
reliable. It has been repeatedly shown that timing-related checks are
incredibly powerful - see e.g.
<http://www.daemonology.net/hyperthreading-considered-harmful/ >.
A possible counter-argument is that there is more than simple port
scanning that we should worry about - with sufficient out of band
information, it could be possible to precisely detect operating systems
and services on the internal network, see
<http://nmap.org/book/osdetect.html >. I doubt that upload progress
events provide much above upload timing in this regard, but it might be
that they do.
--
Anne van Kesteren
http://annevankesteren.nl/
