Not too exciting of an issue, unfortunately. It only really works if you have one application or website open in addition to the malicious page. They don't mention it explicitly (though maybe I missed it), but it seems like you'd have a very hard time fingerprinting individual pages, only websites. It also seems like you have to open the application or webpage while the malicious page is measuring—it can't get a meaningful trace from a page that's idling.
The other thing that stands out to me is that I would expect the browser to throttle the malicious page when it's inactive. Background tabs don't stay fully active, so you'd be hard pressed to abuse this in realistic circumstances, I think.
_notreallyme_ 6 hours ago [-]
Not to mention, you would need to first train a model on your target for the fingerprint to work.
That doesn't seem even remotely useful in practice.
kurthr 13 hours ago [-]
Good, now I have an excuse for keeping 50 tabs open all the time!
https://hannesweissteiner.com/pdfs/frost.pdf
Not too exciting of an issue, unfortunately. It only really works if you have one application or website open in addition to the malicious page. They don't mention it explicitly (though maybe I missed it), but it seems like you'd have a very hard time fingerprinting individual pages, only websites. It also seems like you have to open the application or webpage while the malicious page is measuring—it can't get a meaningful trace from a page that's idling.
The other thing that stands out to me is that I would expect the browser to throttle the malicious page when it's inactive. Background tabs don't stay fully active, so you'd be hard pressed to abuse this in realistic circumstances, I think.
That doesn't seem even remotely useful in practice.