[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] WebGL security

On Sat, Jan 7, 2012 at 8:49 AM, Florian Bösch <pyalot@gmail.com> wrote:
On Sat, Jan 7, 2012 at 2:30 PM, John Davis <jdavis@pcprogramming.com> wrote:
Has Microsoft issued any explanation as to how/why the Silverlight 5 3D implementation recently released is secure and webgl is not?  Both basically have the same functionality.

To my knowledge they have given no detailed explanation. But one of their proxies issued a security warning around that time to do with time-attacking pixel values obtained from sources across domains (you shouldn't be able to access those). In my opinion the attack is quite useless, since it requires time-delays bigger then one millisecond to be even measurable in JS. since you'll want color, you need a measurable difference (say 1ms vs. 2ms) for each color of each channel for each pixel, so decoding one pixel would take 1.5 seconds (at best), decoding a 150x30 image (captcha sizes) would take nearly two hours (during which time the users machine would hardly be operable).

You just need white and black to be able to distinguish text in images.  This has already been fixed, with changes to the canvas tainting rules.

Of course, claiming "we won't implement this because we found one security problem", if that's what they're doing, is just FUD.  I'd tend to interpret it as a thin veil over things like "we want people using Silverlight instead" or "we don't want people learning OpenGL instead of Direct3D".

Glenn Maynard