Front-End Performance: The Dark Side
On April 1st, I spoke at the very first Fronteers Spring Conference. The theme of the whole conference was performance. For my presentation, I decided to try something a little bit different: instead of talking about techniques that lead to better client-side performance, I focused on security-sensitive situations in which performance can actually be a bug rather than a feature.
View the slides here:
Check out the video below.
The Q&A session after the talk was recorded as well.
To me, this stuff is extremely interesting on a technical level. It’s also a little scary, however, to realize that malicious actors can use these techniques to invade your privacy while you’re browsing the web, without you ever knowing. Embedded third-party advertisements could be running timing attacks in the background, leaking pieces of private info (such as age, gender, location), which in turn enables them to serve you more targeted advertisements, fingerprint and track you across the web, or even de-anonymize you completely.
The sad news is that, as a web developer, there’s no obvious way to prevent this type of attack. Using
Same-Site cookies helps, but its
strict mode seems a bit too aggressive for mainstream usage, and its
lax mode might still not fully protect against timing attacks.
End users should consider blocking third-party cookies, or using a content blocker (not just an ad blocker) in their browser.