Cache attack could reveal people's online tracks

By Robert Lemos

Special to CNET News.com
December 12, 2000, 7:00 a.m. PT
URL: http://news.cnet.com/news/0-1005-201-4110753-0.html

A technique that exploits the way Web browsers store recently viewed data
could compromise Internet users' privacy by allowing an
attacker to check what sites a person has visited recently.

The exploit--called a "timing attack"--allows an unethical Web site to play
20 questions (or more) with a person's browser and check
whether the surfer has recently viewed any sites from a predetermined list.

An employer could use the technique on internal Web sites to see whether any
employees have been visiting the competition's job
listings. A Web portal could check whether a person has recently visited any
of its sponsors.

"The attacks allow any Web site to determine whether or not each visitor has
recently visited some other site" or set of sites,
Edward Felten, a professor of computer science at Princeton University, and
Michael Schneider, a graduate student, wrote in a
paper published at a technical conference last month.

"The attacker can do this without the knowledge or consent of either the
user or the other site," they wrote.

The attack takes advantage of the data caches used by browsers to speed
access to recently visited Web sites.

Caching is a technique that stores copies of frequently accessed data in a
nearby location, whether on a person's PC or on a server
on the local area network. The ability to store recently viewed items
significantly reduces the amount of data that has to move over
the Internet.

How big a threat?
While the two researchers worry that the technique could be a threat to
people's privacy, Richard Smith, chief technology officer of
the nonprofit Privacy Foundation, said that the attack was more technically
interesting than threatening.

"In theory, it might offer some problems for privacy," he said. "Time
magazine could find out if you go to Newsweek and give you a
better offer--seems unlikely, though.

"But it is interesting," he added. "It shows how subtle these things can
be."

What worries Felten and Schneider is the technique's efficiency.

By measuring how long it takes for a person's browser to load in a page
element--say, a graphic or a file--from another site, an
attacker can determine if the element is in the person's cache. If so, that
means the person recently visited that other site.

For example, if the Webmaster of A.com wants to see whether visitors have
been to competitor Z.com, he would pick a cacheable
Web element unique to Z.com--say, the logo. The Webmaster can then write a
Java or JavaScript applet that measures the time it
takes to access the file. That program would be embedded in the pages of
A.com.

When a surfer visits A.com, his or her browser would download the applet and
attempt to access the file from Z.com. If the file is in
the cache, the browser can quickly access it. Otherwise, it has to pull down
the file from the Web, and that takes longer.

The technique can quite accurately gauge whether a site has recently been
accessed by any visitor.

Felten and Schneider found that using a Java or JavaScript applet resulted
in accuracy rates of greater than 98 percent. If the
browser has those features turned off, then a second method of successive
HTML calls can accurately gauge whether a person has
visited a particular site about 94 percent of the time.

Because Java and JavaScript are not necessary, and switching off caching
leads to unacceptable performance degradation, "there
seems to be little hope that effective countermeasures will be developed and
deployed any time soon," Felten and Schneider wrote.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************