Bugtraq mailing list archives
Re: cache cookies?
From: Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>
Date: Wed, 13 Dec 2000 12:41:43 +0100
cypherstar <cypherstuff () vrl com au> writes:
Has this been sighted already? or is it snakeoil?
I think it actually works.
http://www.princeton.edu/pr/news/00/q4/1205-browser.htm
I'm Cc:ing Steven Schulz, maybe he can provide some additional details. The press release describes an attack based on the time a browser needs to fulfill a request for an object. This time is short if the request is handled by the browser cache, and longer if it has to go over the net, and it obviously depends on the site the user has visited before. I wonder how this time difference is measured. Probably the most efficient way is some JavaScript code. Of course, requests to other servers may affect the bandwidth used by the client if the requested object is not in the cache, but I suspect this is not a reliable data source. Regarding 'cache cookies', I wonder how much data has to be transmitted over the net for just one bit of cache cookie information. The obvious approach leaks at most one bit per object (present/not present in cache), and to retrieve the information, in say half of the cases, the necessary request goes over the network and results in a few hundred *bytes* transmitted over the wire. This blows up the volume by a factor of at least 100, I think. There may be situations in which this is acceptable (if only a few bits suffice for tagging users), but I don't think you can perform such hidden tagging on the general public because the overhead is so big. However, a more efficient approach to cache cookies could exist, but I have to admit they I don't have the slightest idea how it might look like. ;-) -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- Administrivia: No More Microsoft Bulletins Elias Levy (Dec 08)
- cache cookies? cypherstar (Dec 13)
- Re: cache cookies? Kee Hinckley (Dec 14)
- Re: cache cookies? Adam Shostack (Dec 14)
- Re: cache cookies? Florian Weimer (Dec 14)
- Re: cache cookies? Robert Bihlmeyer (Dec 15)
- Re: cache cookies? Florian Weimer (Dec 16)
- <Possible follow-ups>
- Re: Administrivia: No More Microsoft Bulletins Elias Levy (Dec 10)
- cache cookies? cypherstar (Dec 13)