- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 25 Jul 2011 19:27:23 +0000
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- cc: ietf-http-wg@w3.org
In message <redr271mt9er45npjo41fnrrup8unur4u3@hive.bjoern.hoehrmann.de>, Bjoer n Hoehrmann writes: > http://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-15 currently >does mention that "Because cache contents persist after an HTTP request >is complete, an attack on the cache can reveal information long after a >user believes that the information has been removed from the network", >but does not seem to address privacy issues that go along with that. > >"Evercookie" for instance abuses the ETag header as tracking mechanism, >and specially crafted cached resources to the same end; others abuse 301 >redirects, and there are other features that can be abused this way. The >draft should note this as a general problem and cite some of the things >we know about as examples. There is a very important difference between second and third party attacks we should make clear here. The first paragraph talks about a 3rd party exploitable privacy leak, the second paragraph talks about a 2nd party deliberate privacy break. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 25 July 2011 19:27:58 UTC