[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] WebGL security

On Sat, Jan 7, 2012 at 2:30 PM, John Davis <jdavis@pcprogramming.com> wrote:
Has Microsoft issued any explanation as to how/why the Silverlight 5 3D implementation recently released is secure and webgl is not?  Both basically have the same functionality.

To my knowledge they have given no detailed explanation. But one of their proxies issued a security warning around that time to do with time-attacking pixel values obtained from sources across domains (you shouldn't be able to access those). In my opinion the attack is quite useless, since it requires time-delays bigger then one millisecond to be even measurable in JS. since you'll want color, you need a measurable difference (say 1ms vs. 2ms) for each color of each channel for each pixel, so decoding one pixel would take 1.5 seconds (at best), decoding a 150x30 image (captcha sizes) would take nearly two hours (during which time the users machine would hardly be operable).

I have tried to look into Silverlight 5 features, but I could not find any coherent source of API documentation. I can only surmise that Silverlight 5 does not support shaders at all, and is just a fixed function forward shading polygon rasterizer. Please correct me if that is a wrong impression.