Re: cache cookies?

[Nick Lamb <njl98r () ECS SOTON AC UK>]

On Thu, Dec 14, 2000 at 02:06:48AM -0500, Thomas Reinke wrote:
> Actually, it *does* work.  We have on our site a
> working demonstration of the exploit, showing whether or not
> you've visited one or more of more than 80 different well known
> sites.  The URL is
>
>    http://www.securityspace.com/exploit/exploit_2a.html

Not very impressive. Mozilla M18 showed very poor results, spotting
only one of the sites I had visited (out of a dozen or so), and
on subsequent loads after visiting more sites it reported "Cache hit"
for everything. Tests with other sites, with a fresh browser config,
on different systems, revealed that test results stayed low, sometimes
zero effectiveness, usually less than 50%.

To collect each "bit" of info the browser opened ports to servers
quite unrelated to the request, causing Cookie warning pop-ups for
sites I've never heard of. In a medium-paranoid setting this was
setting off more flashing lights than our local Christmas display.

If someone started using this on the public it would be detected
quickly, and while it's difficult to really defeat (which might make
it attractive to some organisations) it would also be very hard to
maintain, because it relies on understanding the site design of each
target to get a "good" cache cookie.

Only one "attacker" can use it on the net safely, because using it on
someone once effectively "immunises" them against further attack
for an indefinite period of time. Defense means hitting "flush cache"
after visiting disreputable or embarassing sites.

> That is actually trivial to bypass through a simple flag that
> indicates what has and has not been checked.

Where would you store this flag? In a Cookie?

Nick.

Attachment: _bin
Description: