Bugtraq mailing list archives
Re: cache cookies?
From: Kee Hinckley <nazgul () SOMEWHERE COM>
Date: Thu, 14 Dec 2000 00:58:55 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 2:11 PM +0100 12/13/00, Clover Andrew wrote:
> http://www.princeton.edu/pr/news/00/q4/1205-browser.htmor is it snakeoil?Well it *can* work. But I don't think the release's claims of being 'very reliable', 'very dangerous [to privacy]' and 'countermeasure-proof' are justified.
I agree that the privacy violation aspects are pretty small. It does, however, appear to be very reliable and difficult to defeat.
AFAICS what they're talking about is using JavaScript onload events to time how long it takes to load a URL, which can be an image, a frameset, an object (with DOM level 2 events) or
Easiest is to create an onload callback for an image object. The image itself doesn't have to appear on the page. I wrote this as a function that puts the time result in a field (name passed to the function) in a form called "cacheform". function LoadAndTimeImage(imgurl, txtfield) { var img; var stime, etime; // Create an image img = new Image(); // Get the current time stime = new Date().getTime(); // Create a function that will be called when the image is loaded, it will take the given text field // and put the difference between the start and end time in that field. img.onload = new Function("document.cacheform." + txtfield + ".value = new Date().getTime() - " + stime); // Given an error if they gave us a bad URL img.onerror = new Function("alert('Error loading " + imgurl + "')"); // Load the image img.src = imgurl; }
IE4+ images also have a 'complete' attribute which reflects the same information as onload.
I tried using complete initially, but the callback was easier and more portable.
This can easily be foiled by turning off JavaScript on untrusted sites or setting cache policy to check for newer versions of documents on every access. It is already likely
You would think so. But actually I find that setting "Always" in IE5 on the Mac does *not* go and fetch the page again. You're mileage may vary, try it at http://www.somewhere.com/software/javascript/cache.html The news article I saw said that it is possible to do the test without JavaScript. I haven't read the Princeton article, but I can imagine ways to do it.
to be confused by shared proxy caches and setups where there is no local cache.
A proxy cache is not going to return the image anywhere near as quickly. On a 300mhz G3 I'm getting timings of around 3-5ms for an in-cache image, and several hundred ms for an image on a local server on my LAN.
Calling it a 'cache cookie' is overselling it a bit IMHO - it can't contain a value, only a yes/no response for each possible key (URL), and an unreliable one at that. Trawling many URLs at once would be slow, and the user would be more likely to notice it.
Yes, it's really not a cookie, and I wish they hadn't used that term. It's primarily useful for seeing if a user has visited a particular site recently. I could definitely imagine companies using it for offering discounts or matching competitors prices. Targeting it at only users who had actually gone to the competitors site would make some sense. Beyond that I'm not sure what you'd use it for unless you want to see if somebody has been to a particular porn site.
Since the act of running the cache-bug will itself cache the target URL, it's also likely to get confused by reporting false cache hits caused by itself and possibly other cache bugs.
Clearly you need to do something intelligent with the information you get--most obvious would be storing it in a real cookie, or modifying the links on the current page. - -- Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOjj5oyZsPfdw+r2CEQLsLACfWLT9dk5oZ5qlQK/T8TgVzXBTa98AoL52 M2yGIOOtCaVwMBIo0ajaspQ6 =eRCb -----END PGP SIGNATURE-----
Current thread:
- Re: cache cookies? Clover Andrew (Dec 14)
- Re: cache cookies? Thomas Reinke (Dec 15)
- Re: cache cookies? James N. Potts (Dec 16)
- Re: cache cookies? Dan Harkless (Dec 16)
- Re: cache cookies? MadHat (Dec 18)
- Re: cache cookies? Steve Shockley (Dec 16)
- Re: cache cookies? Rossen Raykov (Dec 16)
- Re: cache cookies? Nick Lamb (Dec 18)
- Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- <Possible follow-ups>
- Re: cache cookies? Rob Lemos (Dec 18)
- Re: cache cookies? Wham Bang (Dec 18)
- Re: cache cookies? Lincoln Yeoh (Dec 19)
- Re: cache cookies? Wham Bang (Dec 19)
- Re: cache cookies? Thomas Reinke (Dec 15)