Bugtraq mailing list archives
Re: cache cookies?
From: Wham Bang <wham_bang () YAHOO COM>
Date: Tue, 19 Dec 2000 10:33:01 -0800
Hi, --- Lincoln Yeoh <lyeoh () pop jaring my> wrote:
At 01:40 PM 12/18/00 -0800, Wham Bang wrote: [...] So you can write an entire arbitrary html document into a user's cache (Doh :) ). [Generate a uniquely named frame/image per user.]
Why yes, I think there are probably easier ways to "tag" users, if that's all you wish to do. (Another option is to have the same image at the bottom of every page and have whatever generates that image use a different Etag header per user, as discussed in http://www.linuxcare.com.au/mbp/meantime/.) One of the advantages of the "cache cookie" method is that any page can find out your ID by running a simple bit of javascript. This javascript is always the same, so one doesn't need to generate every page on the fly to include some sort of session identifier somewhere. It is also cross-domain. BTW, since you control access to the images that will be retrieved for the "off" bits (not in cache), I believe you can make this a lot more reliable than the samples that try to find out whether or not you've visited some *other* site. Simply introduce some deliberate delay when you serve out the images. That way you'll avoid any false positives that might result from a super-fast response from your server. But I was just trying to explain what the authors were getting at and what they meant when they said "cache cookie". A lot of people didn't seem to see how this could be used to store information surreptitiously. I agree it's pretty academic. Later, ===== Wham! <wham_bang () yahoo com> __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Re: cache cookies?, (continued)
- Re: cache cookies? Steve Shockley (Dec 16)
- Re: cache cookies? Rossen Raykov (Dec 16)
- Re: cache cookies? Nick Lamb (Dec 18)
- Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? Rob Lemos (Dec 18)
- Re: cache cookies? Wham Bang (Dec 18)
- Re: cache cookies? Lincoln Yeoh (Dec 19)
- Re: cache cookies? Wham Bang (Dec 19)