Re: cache cookies?

[Rob Lemos <Rob_Lemos/SF/ZDNET () ZDNET COM>]

James:

As the elements in a specific visitor's cache expire, the malicious site
can once again use the attack on that visitor. So your use of "never" is
not quite right. Depending on how often the visitor comes back to the
offending site, would determine whether or not the positive hits keep
getting refreshed or eventually expire.

This could be measured by the site attempting to check a unique element
that only resides on itself. If the element is there, then none of the hits
can be relied upon.

(BTW, Thomas, I tried your site and it missed on everything. Are you
instituting the paper's calibration tests as well?)

Personally, the thing I think is so interesting about this attack is that
it resembles the corollary to the Heisenberg Uncertainty Principle, that an
observer can't help but change that which they are observing.

-R

Robert Lemos
Senior editor
ZDNet News

    -----Original Message-----
   From:   "James N. Potts" <jnp () CRNET COM>@INTERNET@INTERLIANT@ZDNET
   Sent:   Thursday, December 14, 2000 11:49 PM
   To:     BUGTRAQ () SECURITYFOCUS COM@INTERNET@INTERLIANT@ZDNET
   Subject:  Re: cache cookies?

   (Embedded image moved to file: pic10303.pcx)
   Thomas Reinke wrote:
   > Actually, it *does* work.  We have on our site a
   > working demonstration of the exploit, showing whether or not
   > you've visited one or more of more than 80 different well known
   > sites.  The URL is
   >
   >    http://www.securityspace.com/exploit/exploit_2a.html
   >
   > We've found with the demo that
   >
   >    a) It is as reliable as the ability to find an image that
   >       would be cached by the browser. In fact, the timing is
   >       very accurate, but other factors can fool the mechanism.
   >       Out of the 80 odd sites we tested, we had 3 false negatives.
   The first time I tried your exploit, I had negatives for every site.
   The
   second time, I had positives for every site (as has been pointed out
   would
   happen).
   Which leads to:
   >    b) Dangerous is subjective - a malicious site CAN find
   >       out what sites you have visited. How much they can do
   >       with it? Well..that's up to the imagination. Certainly
   >       I doubt (hope?) that larger organizations wouldn't
   >       stoop to this trick, but I honestly see nothing preventing
   >       advertising orgs and so on from not doing this, other
   >       than the uproar it would cause in the industry.
   Because of the above problem, the data becomes useless.  After visiting
   a
   malicious site once, that site can never see if you've visited anyone
   since (without regularly changing the files that they look for).  Plus,
   there's bound to be overlap between malicious sites; it's plausable that
   within a short period of time, all users visiting malicious sites would
   have positives for all overlapping sites, even though the users have
   never
   truely visited those sites.  Since the data isn't trustworthy, why would
   sites bother to look for it?
   -Jim Potts

Attachment: pic10303.pcx
Description: