Provide guidelines for mitigation algorithms

This patch is providing guidelines on numerical values to select for the mitigation algorithms parameters. [1] [1] w3c#197 (comment) Fixes: w3c#240
arskama · Oct 30, 2023 · 7aa1f87 · 7aa1f87
1 parent 34af5b1
commit 7aa1f87
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/index.html b/index.html
@@ -854,7 +854,7 @@ <h3>Supporting algorithms</h3>
       <ul>
         <li>
           set |observer|.{{PressureObserver/[[ObservationWindow]]}} to an [=implementation-defined=] randomized integer value in
-          milliseconds within an [=implementation-defined=] range, e.g., random between 300000 and 600000 (5 and 10 minutes).
+          milliseconds within an [=implementation-defined=] range.
         </li>
         <li>
           set |observer|.{{PressureObserver/[[MaxChangesThreshold]]}} to an [=implementation-defined=] randomized integer
@@ -870,6 +870,20 @@ <h3>Supporting algorithms</h3>
       </ul>
       Run the [=reset observation window=] steps and start a timer to re-run the steps when the observer.{{PressureObserver/[[ObservationWindow]]}}
       time has passed, using different randomized values.
+    <aside class="note">
+      Implementers are advised to use:
+      <ul>
+        <li>
+          a range in milliseconds between 300000 and 600000 for |observer|.{{PressureObserver/[[ObservationWindow]]}}.
+        </li>
+        <li>
+          a range in between 50 and 100 changes for |observer|.{{PressureObserver/[[MaxChangesThreshold]]}}.
+        </li>
+        <li>
+          a range in milliseconds between 5000 and 10000 for |observer|.{{PressureObserver/[[PenaltyDuration]]}}.
+        </li>
+      </ul>
+    </aside>
     </p>
     <p>
       <aside class="note">
@@ -1363,14 +1377,21 @@ <h4>Break calibration</h4>
           at runtime when this mitigation is running continuously. Any attempts to recalibrate
           will similarly be mitigated against.
         </p>
-        <div class="note">
+        <aside class="note">
+          This mitigation, if applied too often, can deteriorate the pressure state detection reliability.
+          Therefore it is targeted for longer calibration attack processes.
+          Implementers are advised to apply the mitigation to a randomized time value in milliseconds
+          within a range between 120000 and 240000 (2 and 4 minutes).
+          Faster calibration processes can be mitigated by [=rate obfuscation=] mitigation.
+        </aside>
+        <aside class="note">
           Modern browsers throttle background tabs using [=implementation-defined=]
           heuristics in order to reduce resource usage. For example, after a period of
           no user interaction a background tab can be throttled that will influence
           the global pressure state of the system. This built-in feature of modern
           browsers further improves the effectiveness of the break calibration
           mitigation.
-        </div>
+        </aside>
       </section>
       <section>
         <h4>Same-origin restriction</h4>