Does revealing semantic similarity scores between AES-encrypted data create an exploitable side channel?

Background: My expertise is in machine learning/AI, not cryptography, so I apologize if I’m missing fundamental security concepts. I’m trying to build a privacy-preserving AI agent system and want to understand potential vulnerabilities.
U… Continue reading Does revealing semantic similarity scores between AES-encrypted data create an exploitable side channel?

Why does Cross-Origin-Opener-Policy prevent opening links to the same-origin/domain when target="_blank" is used?

Let’s say you serve a website with the header Cross-Origin-Opener-Policy: same-origin. This is a new header that, if I understood it correctly, completely separates a browsing tab/origin to prevent against such low-level attacks like CPU-m… Continue reading Why does Cross-Origin-Opener-Policy prevent opening links to the same-origin/domain when target="_blank" is used?

How can a timing/cache side-channel attack be performed? How can attack know the time of which certain instructions are performed by the victim?

About timing my question is:
How can attack know the time of which certain instructions are performed by the victim?
And about the cache, how can attacker know which cache line is being accessed by the victim? Is this doable in "norma… Continue reading How can a timing/cache side-channel attack be performed? How can attack know the time of which certain instructions are performed by the victim?

Are timing-based side-channel attacks against the server during CORS preflight a legitimate concern?

Section 3.2.3 of the Fetch standard provides some guidance about how servers can/should handle preflight requests.

A successful HTTP response, i.e., one where the server developer intends to share it, to a CORS request can use any status,… Continue reading Are timing-based side-channel attacks against the server during CORS preflight a legitimate concern?