Nah, that’s not gonna do anything for this given it is looking at the I/O characteristics of your SSD, it doesn’t need any permissions to do this, it’s basically just copying stuff in its own sandbox and pulling data from analysing the transfer characteristics.
Unless for every site you want to visit you install a fresh SSD, with a new installation of a browser and you only ever visit a given site from its dedicated browser and SSD, and do nothing else with it. (This is not limited to figuring out just what sites you’re visiting, but also what applications you’re ruining)
The alternative is something similar to what I suggested which is to basically ensure your SSD is spammed with accesses so it’s very hard to pull out the individual signals.
It’s similar to a VPN connection. If someone is particularly interested in you, they can look at the pattern of VPN transfer traffic. If you open a connection and then go straight to a website and nothing else, it’s relatively trivial for a determined enough adversary to take a fingerprint of the transfer sizes and timings. Enough times they can get a good set of fingerprints that they can then start to match to actual sites.
Now this was regarded as quite hard to do until AI tools like this one come along to dramatically reduce the time needed to do this analysis.
A way to mitigate the above is to make sure your connections are doing multiple things so it’s harder to pull these fingerprints from traffic patterns. So I’m assuming the same strategy would work here given it’s basically the same kind of attack
Sorry could you elaborate? You just linked to the MDN page in the comment and claimed it was bad in that one. Did you mean to link to a different one?
It’s implemented everywhere, so it’s not that it’s a single browser doing something weird, it seems to be sandboxed (in a conventional sense), and there’s plenty of use cases where an application might need high performance storage access or a pseudo filesystem.
What is your reasoning for unimplementing it rather than mitigating the issue? I don’t believe there is an equivalent web technology to this that people could use instead.
As demonstrated in the paper, OPFS enables attackers to read more than just browsing habits, but also solid state gates’ data.
Meaning, if vendors require HPSA, they will need to redesign their entire threat model to an isolated securely atomized one that OPFS by design cannot secure.
I get that the paper has discovered a flaw, but I don’t see how it is unmitigatable, it’s still a sandboxed filesystem at the end of the day, rate smoothing and noise insertion seem like fairly obvious first steps and I’m far from an expert.
It’s like saying we should get rid of VPNs because they suffer the same kinds of side channel risk.
Why did you chop off the start of the sentence to make it look like I was saying the thing you were?
I was pointing out it’s a ridiculous thing to suggest
I mentioned threat remodeling for several reasons. One of them is, as designed OPFS fails every single one of your suggestions, and more.
So, an entire HPSA model needs to be redesigned, or stick to non HPSA whatsoever until further peer reviewed refuzzing has been made.
This type vectorization isn’t novel, it’s just hilarious vendors just accepted it without further security considerations.
Right, yes it definitely needs fixing, that’s what I’m saying. Then you veer off into saying we should build it from scratch again? Why? There’s no apparent need for that given what you’ve said, you’re just describing what we do to fix the existing standard?
It’s the web, vendors don’t break existing APIs unless there’s no other option and from what you’ve written so far, the problem is in the implementation, not the API.
bruv, have you ever designed a fighter jet from a raft?
Because that is the equivalence of comparing OPFS is to a secured PostgreSQL query.
You cannot attain security from a raft, when fighter jets only need to drop bomps like a carpet to write on cities, and traverse microseconds of distances compared to whatever the wind is.
or, no tabs at all. Let the window manager tab browser sessions instead. Isolated/jailed, ofc…
Nah, that’s not gonna do anything for this given it is looking at the I/O characteristics of your SSD, it doesn’t need any permissions to do this, it’s basically just copying stuff in its own sandbox and pulling data from analysing the transfer characteristics.
Unless for every site you want to visit you install a fresh SSD, with a new installation of a browser and you only ever visit a given site from its dedicated browser and SSD, and do nothing else with it. (This is not limited to figuring out just what sites you’re visiting, but also what applications you’re ruining)
The alternative is something similar to what I suggested which is to basically ensure your SSD is spammed with accesses so it’s very hard to pull out the individual signals.
It’s similar to a VPN connection. If someone is particularly interested in you, they can look at the pattern of VPN transfer traffic. If you open a connection and then go straight to a website and nothing else, it’s relatively trivial for a determined enough adversary to take a fingerprint of the transfer sizes and timings. Enough times they can get a good set of fingerprints that they can then start to match to actual sites.
Now this was regarded as quite hard to do until AI tools like this one come along to dramatically reduce the time needed to do this analysis.
A way to mitigate the above is to make sure your connections are doing multiple things so it’s harder to pull these fingerprints from traffic patterns. So I’m assuming the same strategy would work here given it’s basically the same kind of attack
bruh, read my other comments 🧵
OPFS should not exist.
Sorry could you elaborate? You just linked to the MDN page in the comment and claimed it was bad in that one. Did you mean to link to a different one?
It’s implemented everywhere, so it’s not that it’s a single browser doing something weird, it seems to be sandboxed (in a conventional sense), and there’s plenty of use cases where an application might need high performance storage access or a pseudo filesystem.
What is your reasoning for unimplementing it rather than mitigating the issue? I don’t believe there is an equivalent web technology to this that people could use instead.
As demonstrated in the paper, OPFS enables attackers to read more than just browsing habits, but also solid state gates’ data.
Meaning, if vendors require HPSA, they will need to redesign their entire threat model to an isolated securely atomized one that OPFS by design cannot secure.
I get that the paper has discovered a flaw, but I don’t see how it is unmitigatable, it’s still a sandboxed filesystem at the end of the day, rate smoothing and noise insertion seem like fairly obvious first steps and I’m far from an expert.
It’s like saying we should get rid of VPNs because they suffer the same kinds of side channel risk.
I mentioned threat remodeling for several reasons. One of them is, as designed OPFS fails every single one of your suggestions, and more.
So, an entire HPSA model needs to be redesigned, or stick to non HPSA whatsoever until further peer reviewed refuzzing has been made.
This type vectorization isn’t novel, it’s just hilarious vendors just accepted it without further security considerations.
🤝🤣
Why did you chop off the start of the sentence to make it look like I was saying the thing you were?
I was pointing out it’s a ridiculous thing to suggest
Right, yes it definitely needs fixing, that’s what I’m saying. Then you veer off into saying we should build it from scratch again? Why? There’s no apparent need for that given what you’ve said, you’re just describing what we do to fix the existing standard?
It’s the web, vendors don’t break existing APIs unless there’s no other option and from what you’ve written so far, the problem is in the implementation, not the API.
bruv, have you ever designed a fighter jet from a raft?
Because that is the equivalence of comparing OPFS is to a secured PostgreSQL query.
You cannot attain security from a raft, when fighter jets only need to drop bomps like a carpet to write on cities, and traverse microseconds of distances compared to whatever the wind is.
OPFS is insecure by design.