Re: cache cookies?

[Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>]

cypherstar <cypherstuff () vrl com au> writes:

> Has this been sighted already?
>
> or is it snakeoil?

I think it actually works.

> http://www.princeton.edu/pr/news/00/q4/1205-browser.htm

I'm Cc:ing Steven Schulz, maybe he can provide some additional
details.

The press release describes an attack based on the time a browser
needs to fulfill a request for an object.  This time is short if the
request is handled by the browser cache, and longer if it has to go
over the net, and it obviously depends on the site the user has
visited before.

I wonder how this time difference is measured.  Probably the most
efficient way is some JavaScript code.  Of course, requests to other
servers may affect the bandwidth used by the client if the requested
object is not in the cache, but I suspect this is not a reliable data
source.

Regarding 'cache cookies', I wonder how much data has to be
transmitted over the net for just one bit of cache cookie information.
The obvious approach leaks at most one bit per object (present/not
present in cache), and to retrieve the information, in say half of the
cases, the necessary request goes over the network and results in a
few hundred *bytes* transmitted over the wire.  This blows up the
volume by a factor of at least 100, I think.  There may be situations
in which this is acceptable (if only a few bits suffice for tagging
users), but I don't think you can perform such hidden tagging on the
general public because the overhead is so big.

However, a more efficient approach to cache cookies could exist, but I
have to admit they I don't have the slightest idea how it might look
like. ;-)

--
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898