W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Tracking through cache abuse

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 25 Jul 2011 20:54:05 +0200
To: ietf-http-wg@w3.org
Message-ID: <redr271mt9er45npjo41fnrrup8unur4u3@hive.bjoern.hoehrmann.de>
Hi,

  http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-15 currently
does mention that "Because cache contents persist after an HTTP request
is complete, an attack on the cache can reveal information long after a
user believes that the information has been removed from the network",
but does not seem to address privacy issues that go along with that.

"Evercookie" for instance abuses the ETag header as tracking mechanism,
and specially crafted cached resources to the same end; others abuse 301
redirects, and there are other features that can be abused this way. The
draft should note this as a general problem and cite some of the things
we know about as examples.

regards,
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 25 July 2011 18:54:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT