Déjà vu: Abusing Browser Cache Headers to ...
Type de document :
Communication dans un congrès avec actes
Titre :
Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users
Auteur(s) :
Mishra, Vikas [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Rudametkin, Walter [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Rouvoy, Romain [Auteur]
Institut universitaire de France [IUF]
Self-adaptation for distributed services and large software systems [SPIRALS]
Self-adaptation for distributed services and large software systems [SPIRALS]
Laperdrix, Pierre [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Rudametkin, Walter [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Rouvoy, Romain [Auteur]
Institut universitaire de France [IUF]
Self-adaptation for distributed services and large software systems [SPIRALS]
Titre de la manifestation scientifique :
PETS 2021 - The 21th International Symposium on Privacy Enhancing Technologies
Ville :
Virtual
Pays :
France
Date de début de la manifestation scientifique :
2021-07-12
Mot(s)-clé(s) en anglais :
web tracking
web privacy
browser cache
web privacy
browser cache
Discipline(s) HAL :
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Résumé en anglais : [en]
Many browser cache attacks have been proposed in the literature to sniff the user's browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the state-of-the-art, ...
Lire la suite >Many browser cache attacks have been proposed in the literature to sniff the user's browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the state-of-the-art, this paper reports on a novel cache-based attack that is not a timing attack but that abuses the HTTP cache-control and expires headers to extract the exact date and time when a resource was cached by the browser. The privacy implications are serious as this information can not only be utilized to detect if a website was visited by the user but it can also help build a timeline of the user's visits. This goes beyond traditional history sniffing attacks as we can observe patterns of visit and model user's behavior on the web.To evaluate the impact of our attack, we tested it on all major browsers and found that all of them, except the ones based on WebKit, are vulnerable to it. Since our attack requires specific HTTP headers to be present, we also crawled the Tranco Top 100K websites and identified 12,970 of them can be detected with our approach. Among them, 1,910 deliver resources that have expiry dates greater than 100 days, enabling long-term user tracking. Finally, we discuss possible defenses at both the browser and standard levels to prevent users from being tracked.Lire moins >
Lire la suite >Many browser cache attacks have been proposed in the literature to sniff the user's browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the state-of-the-art, this paper reports on a novel cache-based attack that is not a timing attack but that abuses the HTTP cache-control and expires headers to extract the exact date and time when a resource was cached by the browser. The privacy implications are serious as this information can not only be utilized to detect if a website was visited by the user but it can also help build a timeline of the user's visits. This goes beyond traditional history sniffing attacks as we can observe patterns of visit and model user's behavior on the web.To evaluate the impact of our attack, we tested it on all major browsers and found that all of them, except the ones based on WebKit, are vulnerable to it. Since our attack requires specific HTTP headers to be present, we also crawled the Tranco Top 100K websites and identified 12,970 of them can be detected with our approach. Among them, 1,910 deliver resources that have expiry dates greater than 100 days, enabling long-term user tracking. Finally, we discuss possible defenses at both the browser and standard levels to prevent users from being tracked.Lire moins >
Langue :
Anglais
Comité de lecture :
Oui
Audience :
Internationale
Vulgarisation :
Non
Collections :
Source :
Fichiers
- https://hal.inria.fr/hal-03017222/document
- Accès libre
- Accéder au document
- https://hal.inria.fr/hal-03017222/document
- Accès libre
- Accéder au document
- https://hal.inria.fr/hal-03017222/document
- Accès libre
- Accéder au document
- document
- Accès libre
- Accéder au document
- dejavu-pets21.pdf
- Accès libre
- Accéder au document