W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: Tracking through cache abuse

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 25 Jul 2011 14:58:24 -0400
Cc: ietf-http-wg@w3.org
Message-Id: <44F659D2-00A2-496E-B224-991E60B8A354@mnot.net>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Hi Bjoern,

Can you suggest text? Seems it would need to be in p2 (redirects), p4 (conditional) as well as p6 (caching).

Cheers,


On 25/07/2011, at 2:54 PM, Bjoern Hoehrmann wrote:

> Hi,
> 
>  http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-15 currently
> does mention that "Because cache contents persist after an HTTP request
> is complete, an attack on the cache can reveal information long after a
> user believes that the information has been removed from the network",
> but does not seem to address privacy issues that go along with that.
> 
> "Evercookie" for instance abuses the ETag header as tracking mechanism,
> and specially crafted cached resources to the same end; others abuse 301
> redirects, and there are other features that can be abused this way. The
> draft should note this as a general problem and cite some of the things
> we know about as examples.
> 
> regards,
> -- 
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Monday, 25 July 2011 18:58:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT