Front-End Performance: The Dark Side

On April 1st, I spoke at the very first Fronteers Spring Conference
. The theme of the whole conference was performance
. For my presentation, I decided to try something a little bit different: instead of talking about techniques that lead to better client-side performance, I focused on security-sensitive situations in which performance can actually be a bug
rather than a feature.

Check out the video below. The slides are available too.

The Q&A session after the talk was recorded as well.

The presentation walks through what timing attacks
are, explains how they can occur on the web through client-side code, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact. To get the point across, I showcased some brilliant research by Yan Zhu
and Tom Van Goethem
. My favorite demo was one of Tom’s, where a client-side timing attack (using nothing but JavaScript) is used to figure out the exact age of the current visitor.

To me, this stuff is extremely interesting on a technical level. It’s also a little scary, however, to realize that malicious actors can use these techniques to invade your privacy while you’re browsing the web, without you ever knowing. Embedded third-party advertisements could be running timing attacks in the background, leaking pieces of private info (such as age, gender, location), which in turn enables them to serve you more targeted advertisements, fingerprint and track you across the web, or even de-anonymize you completely.

The sad news is that, as a web developer, there’s no obvious way to prevent this type of attack. End users should consider using a content blocker (not just an ad blocker) in their browser.

稿源:Dev.Opera (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合技术 » Front-End Performance: The Dark Side

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录