WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -2375,7 +2375,6 @@ For this mock risk analysis, the following risk factors, where applicable, were
| T1 | Cross-origin separation failure | Reduced | Attack surface exposure (9) — Web browsers are exposed to untrusted web content / Architectural choices (7) — Spectre-like attacks often undermine process isolation even when implemented correctly. / Third-party component dependencies (7) — GPU process is third-party-derived and historically prone to type confusion and memory corruption attacks. | **7.7** | Data sensitivity (9) — Data stored in user browser profile is highly sensitive. / Control presence and effectiveness (5) — Site isolation, COOP/COEP headers, partially mitigate the threat but do not eliminate it. / Architectural choices (6) — A multi-process architecture is employed to reduce threat exposure but some remaining architectural trust assumptions leave residual risk.| **6.7** | **51.6** | High |
| T2 | Capability escalation through permissioned surfaces | Reduced | Attack surface exposure (8) — Web browsers expose various powerful feature APIs. / Operational context (7) — Users often grant broad permissions without clearly understanding scope and duration of expressed consent. Additionally, permissions persist across sessions, often shared by mutliple users, compounding exposure. / Third-party component dependencies (7) — Web browser extensions and embedded third-party code operate with high privilages within the browser context, representing an important attack vector. Additionally, extensions may abuse powerful features, leading to function creep and increasing threat exposure. | **7.3** | Data sensitivity (8) — Escalated capabilities can expose sensitive user data, including geolocation, device hardware, local file system contents, and persistent device identifiers. / Control presence and effectiveness (5) — Express user consent is mediated through permission prompts, but users often lack full visibility into granted permissions and may in general maintain an insufficient level of cyber hygiene given the risks of powerful features and permissioned surfaces. / Architectural choices (4) — No permission life span is enforced by default and the user is not prompted to expres consent at the start of every session. | **5.7** | **41.6** | Medium |
| T3 | OS / kernel compromise below browser control | Accepted | Operational context (5) — Not a direct browser attack vector. / Third-party component dependencies (6) — Web browsers rely entirely on the host OS for a number of functionalities outside web browser control. / Attack surface exposure (4) — A local kernel compromise would need to defeat architectural web browser isolation. | **5.0** | Data sensitivity (10) — A kernel-level compromise would grant attackers access to all browser state, credentials, private keys, user profile, and memory contents. / Control presence and effectiveness (2) — No browser confinement can meaningfully limit impact once the underlying OS is compromised. / Architectural choices (3) — Web browser sandboxing relies on OS primitives and defence-in-depth therefore stops at the OS boundary. | **5.0** | **25.0** | Low |
| T4 | Passive or active network attack | Accepted | Operational context (6) — Users often access untrusted web content via untrusted public networks (Shared residential networks, Public WiFis, etc.). / Control presence and effectiveness (3) — Most default configurations (TLS 1.3, HSTS preloading, certificate transparency, HTTP-to-HTTPS force-redirect drastically reduce likelihood of such attacks. / Attack surface exposure (4) — Some residual plaintext exposure remains (including unencrypted DNS queries, HTTP traffic, etc.). | **4.3** | Data sensitivity (6) — Intercepted traffic may contain session tokens, credentials, OTPs, as well as other plaintext sensitive user information. / Control presence and effectiveness (4) — Existing cryptographic controls effectively protect the majority of traffic from interception and network attacks, and residual risk is limited to legacy protocols or misconfigured endpoint. / Architectural choices (3) — State of the art architectural choices actively and substantially reduce impact. | **4.3** | **18.5** | Low |
