This seems a bit of a pain to actually use for tracking. A 1GB file allocation and neural network processing of all the transaction data to maybe find out that someone has Google Docs open?
I just read the paper and it isn’t 1GB, it’s system ram. So it has to create a file in your OPFS that’s closer to 32GB.
It can also only fingerprint the top 100 sites right now.
It will also noticably slow things down since it’s clearing your page cache 1000 times/sec which means you’re running almost entirely in swap/disk space.
Firefox is also the only one that limits OPFS size (10GB) so they need to create multiple files if you have more than 10GB or ram.
Unless I’m reading it wrong? Seems like it’s more of a “we can get your hardware to behave a certain way, even when sandboxed” thing than a “this is a very serious security vulnerability” thing?
I don’t see how it could become more efficient since the attack vector is basically just filling your ram and forcing your OS to clear the page cache.
This seems a bit of a pain to actually use for tracking. A 1GB file allocation and neural network processing of all the transaction data to maybe find out that someone has Google Docs open?
The whole thing is client-side JavaScript. The attacker won’t care about resources used, in this case, because the victim foots the bill
Does mean it’ll be pretty easy to detect at least.
Though if I were using something like google maps I wouldn’t notice an extra 1GB.
I just read the paper and it isn’t 1GB, it’s system ram. So it has to create a file in your OPFS that’s closer to 32GB.
It can also only fingerprint the top 100 sites right now.
It will also noticably slow things down since it’s clearing your page cache 1000 times/sec which means you’re running almost entirely in swap/disk space.
Firefox is also the only one that limits OPFS size (10GB) so they need to create multiple files if you have more than 10GB or ram.
So it’s basically a non-issue unless it becomes far more efficient?
Unless I’m reading it wrong? Seems like it’s more of a “we can get your hardware to behave a certain way, even when sandboxed” thing than a “this is a very serious security vulnerability” thing?
I don’t see how it could become more efficient since the attack vector is basically just filling your ram and forcing your OS to clear the page cache.