Cache attack: Timing is everything

Measuring the time it takes for users to retrieve Web elements, Princeton researchers discover a subtle new way to determine what sites they've recently visited

A technique that exploits the way in which Web browsers store recently viewed data could compromise privacy by allowing an attacker to check what sites a Netizen has visited recently.

Called a "timing attack", the exploit allows an unethical Web site to play 20 questions (or more) with a user's browser and check whether the surfer has recently viewed sites from a predetermined list.

An employer could use the technique on internal Web sites to see whether employees have been visiting competitors' job listings. A Web portal could check if a user has recently visited any its sponsors.

"The attacks allow any Web site to determine whether or not each visitor has recently visited some other site [or set of sites]," said Princeton University computer science professor Edward Felten and graduate student Michael Schneider in a paper published at a technical conference last month. "The attacker can do this without the knowledge or consent of either the user or the other site."

The attack takes advantage of the data caches that browsers use to speed access to users' recently visited Web sites.

Cacheing is a technique that stores copies of frequently accessed data in a nearby location, whether on the user's PC or on a server on the local area network. The ability to store recently viewed items significantly reduces the amount of data that has to move over the Internet.

That kind of efficiency worries Felten and Schneider, however.

By measuring how long it takes for a user's browser to load a page element, such as a graphic or file, from another site, an attacker can determine if the element is in the user's cache. If so, it means the user recently visited the site.

For example, if the webmaster of A.com wanted to see if users had visited the competition, Z.com, he or she would pick a cacheable Web element unique to Z.com, say, its logo. The webmaster could then write a Java or JavaScript applet to measure the time it takes to access the file and embed the program in the pages of A.com.

When a surfer visits A.com, his or her browser would download the applet and attempt to access the file from Z.com. If the file was in the cache, the browser will have ready access to it. Otherwise, the browser has to pluck the file from the Web, and that takes longer.

Felten and Schneider found that embedded Java or JavaScript applets produced accuracy rates greater than 98 percent.

If a browser has those features turned off, a second method of successive HTML calls can accurately gauge whether a user has visited a particular site about 94 percent of the time.

Because Java and JavaScript are not necessary and switching off caching can cause unacceptable performance degradation, "there seems to be little hope that effective countermeasures will be developed and deployed any time soon," Felten and Schneider wrote in their paper.

While the two researchers believed the technique could be a threat to user's privacy, Richard Smith, chief technology officer of the non-profit Privacy Foundation, thought that the attack was more technically interesting then threatening.

"In theory, it might offer some problems for privacy," he said. "Time magazine could find out if you go to Newsweek and give you a better offer -- seems unlikely, though."

"But, it is interesting," he added. "It shows how subtle these things can be."

They can see you... Read about how and why in Surveillance, a ZDNet News Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.