On Mon, Oct 24, 2011 at 9:51 PM, Adam Barth <aba...@webkit.org> wrote: > Personally, I don't believe it's possible to implement this feature > securely, at least not using the approach prototyped by Adobe. > However, I would love to be proven wrong because this is certainly a > powerful primitive with many use cases.
I spent some more time looking into timing attacks on CSS Shaders. I haven't created a proof-of-concept exploit, but I believe the current design is vulnerable to timing attacks. I've written up blog post explaining the issue: http://www.schemehostport.com/2011/12/timing-attacks-on-css-shaders.html Jonas Sicking seems to have a similar concern: https://twitter.com/#!/SickingJ/status/143161375823380480 It's probably worth addressing this concern sooner rather than later. Ignoring it certainly won't cause the vulnerability to go away. Adam _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
