[18098] in bugtraq
Re: cache cookies?
daemon@ATHENA.MIT.EDU (Kee Hinckley)
Fri Dec 15 16:32:20 2000
Mime-Version: 1.0
Message-Id: <p05010401b65e0e9ed22a@[192.168.1.93]>
Date: Thu, 14 Dec 2000 00:58:55 -0500
Reply-To: Kee Hinckley <nazgul@SOMEWHERE.COM>
From: Kee Hinckley <nazgul@SOMEWHERE.COM>
X-To: Clover Andrew <aclover@1VALUE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5F78AA062F6AD311A59000508B4AAF6D092BFB@PCS02>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 2:11 PM +0100 12/13/00, Clover Andrew wrote:
> > http://www.princeton.edu/pr/news/00/q4/1205-browser.htm
>
>> or is it snakeoil?
>
>Well it *can* work. But I don't think the release's claims of
>being 'very reliable', 'very dangerous [to privacy]' and
>'countermeasure-proof' are justified.
I agree that the privacy violation aspects are pretty small. It
does, however, appear to be very reliable and difficult to defeat.
>AFAICS what they're talking about is using JavaScript onload
>events to time how long it takes to load a URL, which can be
>an image, a frameset, an object (with DOM level 2 events) or
Easiest is to create an onload callback for an image object. The
image itself doesn't have to appear on the page.
I wrote this as a function that puts the time result in a field (name
passed to the function) in a form called "cacheform".
function LoadAndTimeImage(imgurl, txtfield) {
var img;
var stime, etime;
// Create an image
img = new Image();
// Get the current time
stime = new Date().getTime();
// Create a function that will be called when the image is
loaded, it will take the given text field
// and put the difference between the start and end time in that field.
img.onload = new Function("document.cacheform." + txtfield +
".value = new Date().getTime() - " + stime);
// Given an error if they gave us a bad URL
img.onerror = new Function("alert('Error loading " + imgurl + "')");
// Load the image
img.src = imgurl;
}
>IE4+ images also have a 'complete' attribute which reflects the
>same information as onload.
I tried using complete initially, but the callback was easier and
more portable.
>This can easily be foiled by turning off JavaScript on
>untrusted sites or setting cache policy to check for newer
>versions of documents on every access. It is already likely
You would think so. But actually I find that setting "Always" in IE5
on the Mac does *not* go and fetch the page again. You're mileage
may vary, try it at
http://www.somewhere.com/software/javascript/cache.html
The news article I saw said that it is possible to do the test
without JavaScript. I haven't read the Princeton article, but I can
imagine ways to do it.
>to be confused by shared proxy caches and setups where there
>is no local cache.
A proxy cache is not going to return the image anywhere near as
quickly. On a 300mhz G3 I'm getting timings of around 3-5ms for an
in-cache image, and several hundred ms for an image on a local server
on my LAN.
>Calling it a 'cache cookie' is overselling it a bit IMHO
>- it can't contain a value, only a yes/no response for each
>possible key (URL), and an unreliable one at that. Trawling
>many URLs at once would be slow, and the user would be more
>likely to notice it.
Yes, it's really not a cookie, and I wish they hadn't used that term.
It's primarily useful for seeing if a user has visited a particular
site recently. I could definitely imagine companies using it for
offering discounts or matching competitors prices. Targeting it at
only users who had actually gone to the competitors site would make
some sense. Beyond that I'm not sure what you'd use it for unless
you want to see if somebody has been to a particular porn site.
>Since the act of running the cache-bug will itself cache the
>target URL, it's also likely to get confused by reporting
>false cache hits caused by itself and possibly other cache
>bugs.
Clearly you need to do something intelligent with the information you
get--most obvious would be storing it in a real cookie, or modifying
the links on the current page.
- --
Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOjj5oyZsPfdw+r2CEQLsLACfWLT9dk5oZ5qlQK/T8TgVzXBTa98AoL52
M2yGIOOtCaVwMBIo0ajaspQ6
=eRCb
-----END PGP SIGNATURE-----
