Front-End Performance: The Dark Side

On April 1st, I spoke at the very first Fronteers Spring Conference. The theme of the whole conference was performance. For my presentation, I decided to try something a little bit different: instead of talking about techniques that lead to better client-side performance, I focused on security-sensitive situations in which performance can actually be a bug rather than a feature.

View the slides here:

Check out the video below.

The Q&A session after the talk was recorded as well.

The presentation walks through what timing attacks are, explains how they can occur on the web through client-side code, and demonstrates how modern performance-related web APIs can sometimes have a negative security impact. To get the point across, I showcased some brilliant research by Yan Zhu and Tom Van Goethem. My favorite demo was one of Tom’s, where a client-side timing attack (using nothing but JavaScript) is used to figure out the exact age of the current visitor. (This demo starts around 16:03 in the first video.)

To me, this stuff is extremely interesting on a technical level. It’s also a little scary, however, to realize that malicious actors can use these techniques to invade your privacy while you’re browsing the web, without you ever knowing. Embedded third-party advertisements could be running timing attacks in the background, leaking pieces of private info (such as age, gender, location), which in turn enables them to serve you more targeted advertisements, fingerprint and track you across the web, or even de-anonymize you completely.

The sad news is that, as a web developer, there’s no obvious way to prevent this type of attack. Using Same-Site cookies helps, but its strict mode seems a bit too aggressive for mainstream usage, and its lax mode might still not fully protect against timing attacks.

End users should consider blocking third-party cookies, or using a content blocker (not just an ad blocker) in their browser.