Browser History Sniffing Is Back

← Back to Stories (view on slashdot.org)

Browser History Sniffing Is Back

Posted by timothy on Sunday December 4, 2011 @11:33AM from the this-time-it's-interstitial dept.

An anonymous reader writes "Remember CSS history sniffing? The leak is plugged in all major browsers today, but there is some bad news: in a post to the Full Disclosure mailing list, security researchers have showcased a brand new tool to quickly extract your history by probing the cache, instead. The theory isn't new, but a convincing implementation is."

119 of 161 comments (clear)

Min score:

Reason:

Sort:

Easy work-around by richkh · 2011-12-04 11:38 · Score: 5, Informative

Fixed cache size of 0.
1. Re:Easy work-around by CastrTroy · 2011-12-04 12:44 · Score: 5, Insightful
  
  I do this all the time. My history is disabled by default. Cache is 0. I have never really had a need for history in the past 10 years. If I want to find something again, it's faster to just Google it. Or if I find something that I really don't want to lose, I just bookmark it. No reason to keep a history.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
2. Re:Easy work-around by icebraining · 2011-12-04 12:53 · Score: 5, Informative
  
  Cache and history are completely different features. 0 cache means you'll have to download the same CSS/JS/image files over and over again for each page on the same website, which is a waste of resources for both you and the server.
  
  --
  Dilbert RSS feed
3. Re:Easy work-around by zoloto · 2011-12-04 13:21 · Score: 5, Insightful
  
  well, if sites would stop using so much garbage for simple content we wouldn't have this problem now would we?
4. Re:Easy work-around by icebraining · 2011-12-04 13:35 · Score: 3, Informative
  
  There are plenty of cases where actual content - images, videos, etc - benefit from caching. It's not all garbage.
  
  --
  Dilbert RSS feed
5. Re:Easy work-around by fuzzyfuzzyfungus · 2011-12-04 13:41 · Score: 4, Interesting
  
  Completely different features; but not completely different datasets...
  
  If I'm trying to infer where you've been, a nicely formatted(often with handy metadata, timestamps, etc.) history list sure is handy, if I can get access to it; but it's also an obviously juicy target, and something that browser designers are going to try to keep me away from.
  
  Your cache is a lot messier; but it does provide grounds for inference about where you've been(and thus can retrieve from cache in essentially zero time) and where you haven't recently been(and thus have to burn a few tens to hundreds of milliseconds retrieving from a remote host)... Worse, unlike history(which is really just a convenience feature for the user, and can be totally frozen out of any remotely observable aspect of loading a page, those purple links aren't life or death...) the browser cache is an architectural feature that one cannot remove without sacrificing performance, and one cannot even easily obfuscate without sacrificing performance. It's a much lousier dataset than the history, since history is designed to document where you've been but cache only does that partially and incidentally; but it is one that is harder to get rid of without user-visible sacrifices and increases in network load...
6. Re:Easy work-around by icebraining · 2011-12-04 14:12 · Score: 3, Interesting
  
  You wouldn't need to eliminate the cache, just Javascript's ability to measure the load times reliably. For example, you could prevent scripts from reading the state of a particular resource during the e.g. 500 milliseconds after setting its URL, regardless of the source used (cache or network).
  
  --
  Dilbert RSS feed
7. Re:Easy work-around by fuzzyfuzzyfungus · 2011-12-04 14:24 · Score: 4, Informative
  
  You'd also have to ensure that page elements don't load in any deterministic or controllable order, and that the number of requests the browser has going concurrently isn't predictable: If I can control the order in which your browser loads my page's elements, I can make useful inferences about the load time of a 3rd party resource, without any client javascript, by sandwiching its loading between the loading of two resources(at dynamically generated URLs, to ensure that you couldn't possibly have cached them) on servers I control. Not perfect, because various other factors could affect the time it takes your requests to hit my servers; but likely better than nothing.
  
  It would also be a bit tricky because inferential attacks wouldn't necessarily have to ask politely for the state of the resource they are interested in, they could instead attempt something else(say a script operation that will fail in a particular way unless the 3rd party resource is available). Barring a solution much cleverer than I can think of, you'd be at considerable risk of having to break progressive loading of pages entirely(or at least into human-visible-and-annoying stuttery chunks) in order to keep prevent a combination of a page interrogating its own state on the client, and correlating with timestamps on requests to servers controlled by the attacker...
8. Re:Easy work-around by RandomAvatar · 2011-12-04 14:31 · Score: 1
  
  This depends completely on personal preference however. Personally, I don't care if I have to re-download everything on a single page, and if it stops people from breaching privacy and gives them a little kick while it's at it, all the better.
9. Re:Easy work-around by icebraining · 2011-12-04 15:05 · Score: 5, Insightful
  
  You might not care, but the guy paying for the server's bandwidth certainly does ;)
  
  --
  Dilbert RSS feed
10. Re:Easy work-around by Freshly+Exhumed · 2011-12-04 17:02 · Score: 1
  
  Yep, but first install a Squid proxy on an internet-facing machine and then set all internal browsers to proxy through it, then set all browsers to use a cache size of 0.
  
  --
  I deny that I have not avoided attaining the opposite of that which I do not want.
11. Re:Easy work-around by Anonymous Coward · 2011-12-04 17:36 · Score: 3, Informative
  
  If I correctly understand how this attack works, they could easily read your proxy cache the same way.
12. Re:Easy work-around by Anonymous Coward · 2011-12-04 19:50 · Score: 3, Funny
  
  If I want to find something again, it's faster to just Google it. Or if I find something that I really don't want to lose, I just bookmark it. No reason to keep a history.
  If your ultimate purpose was more privacy, I find it VERY amusing that you ended up willingly sharing everything with Google, of all parties. :D
13. Re:Easy work-around by Anonymous Coward · 2011-12-04 20:19 · Score: 1
  
  Yeh. Google it. Because Google doesn't keep tabs on you either?
  I don't see the point of disabling cache to keep your history private when its so likely that Google knows it anyway. People are more likely to repeat a past search query than use the bookmark or history features found in browsers. Just for kicks set your resolver for 8.8.8.8 and pretend no one is watching that either.
  Pretend your ISP would never do it either.
  Pretend that Facebook button on every page in existence is a convenience thing just for you.
  The only reason you'd need to sniff my browser cache is because you're sucking at the Internet. Those that don't suck... they have your history already.
  Privacy on the Internet is a thing of the past.
14. Re:Easy work-around by KXeron · 2011-12-04 20:55 · Score: 4, Informative
  
  There is a large difference between "user" and "customer", the problem is you may think that you are a "customer" (or at least potential customer) of every site you visit, but this is incorrect.
  "Customer" implies that there is a business relationship in play, however if it is a forum or other free resource, you will never be a customer as there is nothing to purchase. Not every website on the internet is a business.
  It is often seen as abuse when a user downloads or needlessly accesses a resource (files) multiple times and website administrators often have no qualms blocking abuse, it means less load on their site's server and more resources free (bandwidth, connection slots on the webserver daemon) for other users and on top of that: potentially lowering their bill.
  Coming from experience, I've seen people use download managers and misconfigure them purposefully so they open 20-100+ connections to a file feeling that the website somehow owes them that file, doing so on a webpage with a browser is no different.
15. Re:Easy work-around by lpq · 2011-12-04 20:59 · Score: 2
  
  Except that if you read the article, it targets your cache, not your history.
  It just tries to load various sites to see if they load quickly or not. If yes, then in local cache, else not. Thus used as how recently you have visited site (it it still in cache).
  History -- i keep that going back about 240-360 days... much faster and more useful than google.
  I mean if I wanna go to a site, why would I go to google rather than typing in a few letters of the site, -- and it knows which ones I visit most... all stored in my private cache... no ads inserted...
  And you'd delete your history and use google -- when it's NOT the privacy issue (unless your machine is physically compromised...)...
  Funny thing is the thing doesn't work very well.
  First I had to permit it to run w/noscript.
  But then it ran and came back that I hadn't visited slashdot (among several others ) that visit almost daily, but certainly within the last week.
  Oh... Gee, howwdoes his test work, it tries to use your browser to contact other website... um... you wanna just allow that at random? Well, interface could use a bit of work, but Request Policy, doesn't allow the things that go through no script because they are simple fetches...
  Though on one website, as soon as I gave a site needed permission to run its interface, it loaded an XUL security sheet that rewrote my browsers allowed security policy so it could talk to any site it wanted...
  Ad block, blocked the XUL sheet.
  The site stopped being functional (music play site) in any way.
  Sigh.
16. Re:Easy work-around by Per+Wigren · 2011-12-04 21:21 · Score: 1
  
  if you both turn of all you're scripting and caching
  But neither of us turn of all we're scripting and caching so the problem persists.
  
  --
  My other account has a 3-digit UID.
17. Re:Easy work-around by Pieroxy · 2011-12-04 21:44 · Score: 1
  
  How will that prevent this exploit? It could is your proxy is not faster that your internet connection... but what purpose would your proxy serves then?
  
  --
  Write boring code, not shiny code!
18. Re:Easy work-around by GameboyRMH · 2011-12-05 01:18 · Score: 1
  
  Here's an idea to kill the cache attack, have cache loading speed simulate the network connection speed: Have the browser gather stats on its network use. Say the average load speed (call it AVGSPD) is 100KBps and the average lag (call it AVGLAG) is 0.5s. If it's about to load a big 500KB image from cache, it first introduces a delay of AVGLAG*random(0.5,1.5), and then an additional delay of FILESIZE/(AVGSPD*random(0.9,1.1)), so fetching the file would take somewhere around 5 seconds. This simulates the slowdown of fetching the file over the network but doesn't use any additional bandwidth. It will make page loads look a bit less snappy but will kill this cache attack.
  However this could still be defeated by using an AJAX script or something to have an attacking server and client script work together to basically gauge the user's connection speed while downloading a large file with a dynamic URL from the attacking server, and then trying to load data from websites and checking for a connection speed drop. If it doesn't drop that means the file was cached, but at least the practicality and stealth of the attack is reduced.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
19. Re:Easy work-around by GameboyRMH · 2011-12-05 01:29 · Score: 1
  
  There's a browser plugin you can use to anonymize Google queries, although if you signed up for a Gmail account in a more innocent time like I did and haven't migrated to your own hosting yet, the best thing you can do to reduce your Google footprint is to open your Gmail/Google Reader/Youtube/whatever pages in a separate browser from everything else. Firefox could use "tab sandboxing" - where individual tabs can be like their own private browsing session, basically. I think Chrome has something like that.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
20. Re:Easy work-around by GameboyRMH · 2011-12-05 01:32 · Score: 1
  
  But in order not to further scare you, if you turn off javascript, 80% of the connecting adnetworks won't load any ads (and their profiling stuff)
  and if you both turn of all you're scripting and caching, I won't be able to profile much besides your visits to sites running within our ad network.
  Haha if only. A lot (and I mean A LOT) of tracking services use pure HTML tracking, to disable them you have to control cross-domain requests. Ghostery or RequestPolicy are good plugins for doing this.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
21. Re:Easy work-around by CastrTroy · 2011-12-05 02:03 · Score: 1
  
  Or even better, always load something from the website when the content is third party. So if you're visiting random site, and they get you to load facebook content, then it would never look in your cache. There really would be some adjustments needed, to help with CDNs (content distribution networks), but that could be solved. Allow the browser to load anything from a subdomain from cache, but content that is from an unrelated domain always loads from the web. If you are using a CDN, just use a subdomain of your actual site to point toward the content, and you are set. It would cause slowdowns with all those sites that point to Google for JQuery and other similar mass hosted stuff, but probably a very small price to pay to protect your privacy.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
22. Re:Easy work-around by BrokenHalo · 2011-12-05 02:18 · Score: 1
  
  I think Chrome has something like that.
  I wouldn't count on it. I may be completely off-beam here, but given Chrome's parentage, I would expect it to call home to report whatever information Google might find useful. I don't yet know to what extent (if any) the OSS version, Chromium does this, but I'm looking now. So far, I like what I see. If anyone has any insight on caveats here, I'll be interested to hear of them.
23. Re:Easy work-around by GameboyRMH · 2011-12-05 02:23 · Score: 1
  
  It's a valid concern, last I remember the only thing Chrome sends off is search requests as you type them, but now Firefox does that too (to use the search provider's autocomplete feature). Of course if you don't want to trust Chrome there's always Chromium.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
24. Re:Easy work-around by neonKow · 2011-12-05 03:54 · Score: 1
  
  A much less selfish solution would be NoScript. You are effectively using the same resources as 5-10 people for everything from bandwidth the server requests. I don't see why you think using more of your ISP and Facebook's resources is giving malicious script writers a "kick."
25. Re:Easy work-around by Oligonicella · 2011-12-05 04:25 · Score: 1
  
  Aren't you the guy who suggested that web sites should be paying you to visit?
26. Re:Easy work-around by RandomAvatar · 2011-12-05 05:22 · Score: 1
  
  I strongly disagree with this statement. I believe it is the people that are using cache sniffers that are the parasites because they are the ones forcing people to do things like this in order to protect their right to privacy. I have no problem using cache, but if I have to sacrifice my privacy just to lighten the load on others, I will not use my cache. I have a right to privacy, and if people want to peep on me, then I will do my best to prevent them from doing so. Besides, isn't this sort of thing illegal? I am no lawyer, but I am pretty sure that invasion of privacy is illegal.
27. Re:Easy work-around by al0ha · 2011-12-05 06:26 · Score: 1
  
  So what? My personal box is nowhere near tapped out, I've been doing this since I got my first broadband connection and originally on a single core. And who gives a rats a** about the remote server resource useage?
  
  --
  Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
28. Re:Easy work-around by houghi · 2011-12-05 06:38 · Score: 1
  
  Proof of concept (and a bit more then that)
  http://www.google.com/images/nav_logo95.png
  
  --
  Don't fight for your country, if your country does not fight for you.
29. Re:Easy work-around by Eponymous+Hero · 2011-12-05 09:54 · Score: 1
  
  oy vey. the cache has nothing to do with your privacy. they are using a css bug involving the browser history list. ever notice that you have to choose each of those separately when clearing browser activity?
  
  also, if the internet is considered a public space (or the private space of others, such as the domain owners) then your actions are not protected by your privacy rights. that's like saying you demand to have your face blurred out automatically on surveillance cameras at the mall. don't look now, but TFA itself has tracking pixels in the source code immediately following TFA text.
  
  here it is:
  
  --
  insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
30. Re:Easy work-around by Eponymous+Hero · 2011-12-05 09:56 · Score: 1
  
  whoops, accidental submit...
  
  <
  img
  class="zemanta-pixie-img"
  src="http://img.zemanta.com/pixy.gif?x-id=beb18e6e-9215-4ff7-ae69-89d7db256d89
  alt="">
  
  --
  insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
31. Re:Easy work-around by RandomAvatar · 2011-12-05 10:52 · Score: 1
  
  Again, I would have to disagree. If others want to go to the websites themselves and ask them for information on who has visited their website, that is their prerogative. What I am disagree with is them taking the information from MY computer. if someone wants to sell info on the IP addresses that have visited them, fine. But if someone wants to go sniffing around my computer, even if it is just in the cache, I will do what I can to stop them.
Unreliable by cpicon92 · 2011-12-04 11:41 · Score: 3, Informative

This tool seems unreliable (at least in Chrome). I've been on YouTube five times in the past 48 hours and it still showed up grey on the sniffer.
1. Re:Unreliable by Anonymous Coward · 2011-12-04 12:07 · Score: 2, Funny
  
  This tool seems unreliable (at least in Chrome). I've been on YouTube five times in the past 48 hours and it still showed up grey on the sniffer.
  Most likely an OS/Vendor issue.
  If you're using a Mac, pretty much every sniffer tool will show up ghey.
2. Re:Unreliable by Hentes · 2011-12-04 12:18 · Score: 1
  
  Yeah, it's too inaccurate to be convincing. A random algorithm weighted on popularity could have a similar success rate. Maybe if the number of tested sites were increased it would be more clear whether it works or not.
3. Re:Unreliable by Ethanol-fueled · 2011-12-04 12:49 · Score: 1, Troll
  
  I use Firefox with NoScript, instructing the browser to clear everything when it closes. I made a NoScript exception and tried the tool, and it failed to detect anything except Lowe's! I have never visited the Lowe's website, and I have never shopped there*!
  
  * Home Depot is where it's at, especially for cheap Mexicans!
4. Re:Unreliable by PopeRatzo · 2011-12-04 13:33 · Score: 3, Funny
  
  Home Depot is where it's at, especially for cheap Mexicans!
  That's great news. The Mexicans at Lowe's are really overpriced.
  
  --
  You are welcome on my lawn.
5. Re:Unreliable by cicuz · 2011-12-05 00:01 · Score: 1
  
  I got a grey list (not surprising, I don't use Chrome that much..), so I went on googleplus' home page and rerun the test.. Then I got a green on google plus AND facebook :-| What's up with that?
6. Re:Unreliable by GameboyRMH · 2011-12-05 01:37 · Score: 1
  
  Facebook's "like" button is a tracking widget, that loads a page which then contains JS to do more in-depth analytics if you're not using a script blocker. The page the Like button fetches is probably what the test page checks for.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Not surpisiing by Anonymous Coward · 2011-12-04 11:43 · Score: 1, Insightful

Browser developers are not doing proper development anymore. They are too busy playing stupid games like hiding http://, removing status bars, inflating the version numbers and breaking your extensions to do things like security or proper memory management.
Javascript required? by betterunixthanunix · 2011-12-04 11:47 · Score: 5, Informative

This appears to require Javascript. Thank you, noscript.

--
Palm trees and 8
1. Re:Javascript required? by danbuter · 2011-12-04 12:17 · Score: 5, Insightful
  
  NoScript should just be added in as part of default Firefox. It's very easy to manage, and saves me lots of headaches.
2. Re:Javascript required? by inzy · 2011-12-04 12:31 · Score: 1
  
  ...and it confuses the hell out of a lot of people who don't understand what javascript is. "I just want to see the webpage"
  Rather than trying to get people using what is frankly an arcane and imprecise tool, we would be better off removing the incentive which makes data theft valuable. This then becomes and economic and social problem rather than technical. there are few situations where the latter can be solved well with the former
3. Re:Javascript required? by swillden · 2011-12-04 12:51 · Score: 1
  
  This appears to require Javascript. Thank you, noscript.
  It doesn't, really. This proof of concept is implemented using Javascript, because it's easier, but the basic concept doesn't require Javascript to work.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Javascript required? by icebraining · 2011-12-04 13:01 · Score: 2
  
  How do you observe download timings without Javascript?
  
  --
  Dilbert RSS feed
5. Re:Javascript required? by bussdriver · 2011-12-04 13:35 · Score: 3, Interesting
  
  YES! I 2nd that! But it should be better integrated and off by default -- they can try to hint users into using it by other means. I have NoScript on by default just because I was sick of white listing everything; but any site I feel bad about I blacklist. Its not as secure but it is doing something. Add a subscription list like AdBlock has and it wouldn't be so bad for people who want to help compile black and white lists. Normal users would get a blacklist with it always on by default and others who know better will know enough to flip the policy. The paranoid would turn off the subscription lists and do it all themselves.
  I would like a power-user area to block certain DOM features completely. I do not trust canvas by default or most the newer DOM features by default; it should ask me to ok those when a site tries to use them. (the lists mentioned above could specify what is white or black listed not just whole domains etc.) Actually, I'm wary of CSS3 fonts because font render engines haven't been a focus of security and 3D drivers... you are lucky to have stable fast 3D; security? currently a pipe dream.
  A DOM js access list by domain would be a lot like a sandbox system for websites.
  
  --
  Democracy Now! - uncensored, anti-establishment news
6. Re:Javascript required? by TubeSteak · 2011-12-04 13:58 · Score: 3, Informative
  
  It's very easy to manage
  I've installed NoScript for non-technical people and it almost immediately caused them headaches.
  There are plenty of internal academic/work websites that rely on fetching scripts from third parties...
  Which is exactly what NoScript is designed to prevent.
  And then there are endless websites that want you to allow scripts from a CDN or Google APIs or social bookmarking.
  NoScript's generic default allows aren't inclusive enough to keep websites from breaking for most people.
  
  --
  [Fuck Beta]
  o0t!
7. Re:Javascript required? by larry+bagina · 2011-12-04 14:02 · Score: 1
  
  Java (mentioned in the paper) or possibly flash.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
8. Re:Javascript required? by icebraining · 2011-12-04 14:15 · Score: 3, Informative
  
  Oh, ok, but NoScript blocks those too, so betterunixthanunix's point still stands.
  
  --
  Dilbert RSS feed
9. Re:Javascript required? by hedwards · 2011-12-04 15:23 · Score: 1
  
  I ended up replacing it with request policy as half the time I ended up having to enable all the javascript to get the page to load anyways. I mostly just wish it provided a method of blacklisting things like Facebook that never add any value to the site.
10. Re:Javascript required? by hedwards · 2011-12-04 15:29 · Score: 2
  
  I've noticed that. When I'm using noscript I tend to spend most of my time enabling things on sites as I often times can't even see the site. I've found that request policy is a lot easier to use in many ways, but unfortunately lacks any sort of black list so you're limited in what you can do as far as blocking portions of a site's javascript collection.
11. Re:Javascript required? by swillden · 2011-12-04 16:10 · Score: 2
  
  Sandwich them between requests to a real server, which you control. Network latency jitter would make the attack less reliable, but I'll bet it would still work reasonably well. Better if you have a low-latency path to the target. ISPs could probably implement it with very high reliability.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
12. Re:Javascript required? by Arker · 2011-12-04 16:34 · Score: 3, Insightful
  
  And this wont stop as long as most people are stupid enough to accept browsers that will just run whatever random script some random website hands them. Unfortunately, it's a bit of a chicken and egg problem in that way. If the major browsers would behave sanely, these insanely bad web practices wouldnt work, and the insanely bad 'web designers' that come up with them would have to learn to write real web pages or find another line of work. As is, too many people dont know and dont want to know, and we all pay the price in one way or another.
  I'll keep my noscript and be happy that broken pages actually display as broken for me, so I know to avoid them, rather than having my browser just randomly download and execute whatever crap codes the broken web page needs to make it look like something else.
  
  --
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Friends don't let friends enable ecmascript.
13. Re:Javascript required? by icebraining · 2011-12-04 16:47 · Score: 1
  
  How does that work considering that most browsers download resources in parallel (even if they actually load them to the page in order), particularly from different domains?
  
  --
  Dilbert RSS feed
14. Re:Javascript required? by godel_56 · 2011-12-04 20:30 · Score: 1
  
  This appears to require Javascript. Thank you, noscript.
  From the last line in TFA, "If you are using NoScript or other privacy tools, the test will fail even if you whitelist this site."
  Thank you, NoScript.
  BTW, If you use NoScript, send the author a few bucks. I'll bet very few actually do.
15. Re:Javascript required? by Anonymous Coward · 2011-12-04 23:01 · Score: 1
  
  what's wrong with "Mark fbcdn.net as untrusted"?
16. Re:Javascript required? by Ailure · 2011-12-04 23:04 · Score: 1
  
  It's useful for being able to visit random websites without the fear of Javascripts exploits. Also useful for selectively blocking websites, such as Facebook (I do not trust it, and Facebook stuff is embedded everywhere).
17. Re:Javascript required? by Ensign+Morph · 2011-12-04 23:58 · Score: 3, Informative
  
  Nope. NoScript protects against the relatively common attack vector of malicious 3rd-party scripts being injected into a site you already trust, via exploits or ad networks. In this scenario the site will try to load malware from http://lolhax.biz/ or whatever, which it doesn't normally do and you haven't permitted, so it fails. It saved me once when a PHP forum I visited often got hacked.
18. Re:Javascript required? by swillden · 2011-12-05 01:08 · Score: 1
  
  There's a limit to the number of resources they'll download in parallell; it would probably be necessary to saturate that first. In fact, filling up all of the available download slots might really help -- request a bunch of resources from a server that will respond to the connection request but not complete it. Then the attacker could start timing from the instant the server completes the pre-timing request, then stop when the server receives the post-timing request. Some similar methods could be used to measure typical RTT and jitter, to calibrate the timing and pre-determine the likely accuracy of the attack.
  Now, if the browser uses a new download thread/socket pool for each domain, that wouldn't work. But I suspect there's a per-endpoint pool and a total pool, otherwise a web page could DOS the client by consuming all network sockets. The attacker might need a few servers to saturate each of the per-endpoint pools until the total pool is saturated.
  Browsers could defeat this attack by randomizing resource download order.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
19. Re:Javascript required? by BVis · 2011-12-05 01:38 · Score: 1
  
  Well, apparently it is difficult.
  I think you might be mistaking "difficult" for "it takes time to do it". Until marketing/bean counters/PHB's realize they're giving their web devs about a third as much time as they should most of the time, things like 'graceful degradation' get turned into 'it works in the CEO's browser, it's done."
  
  --
  Never underestimate the power of stupid people in large groups.
20. Re:Javascript required? by icebraining · 2011-12-05 01:45 · Score: 1
  
  Doesn't that assume the page controls the total pool? My Firefox instance has eight established connections; with Ajax or background loading tabs, it's hardly unexpected that some other website will take over the only available socket, making a cached load appear as slow as a remote request.
  
  --
  Dilbert RSS feed
21. Re:Javascript required? by GameboyRMH · 2011-12-05 01:46 · Score: 1
  
  It's definitely not easy enough for the average user. My dad's better than average with computers and he struggles with it sometimes.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
22. Re:Javascript required? by GameboyRMH · 2011-12-05 01:47 · Score: 1
  
  Facebook's tracking is just the tip of the iceberg...look at Ghostery's downloadable blocklist.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
23. Re:Javascript required? by swillden · 2011-12-05 02:04 · Score: 1
  
  Mmm, yes, I was assuming there's a pool per tab. With Chrome, since each tab is a separate process, I'm pretty sure that's the case.
  I don't think that's an insuperable problem, though. The attacker can just watch the requests that are supposed to saturate the pool coming into the server, and if they stop arriving he can assume the pool is full. At that point he knows how large the available pool is, factoring in other connections already established, and can "release" enough connections to allow the page loading process to get down to the interesting bit. Of course, the connections from other tabs aren't static, so there's going to be a little noise, but even the scripted version of the attack is noisy.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
24. Re:Javascript required? by neonKow · 2011-12-05 03:56 · Score: 1
  
  Once you feel bad about a site, doesn't that mean you've visited it already? At that point you've already loaded any exploit scripts there may be on the page.
25. Re:Javascript required? by Oligonicella · 2011-12-05 04:53 · Score: 1
  
  Which in the bulk of cases also means "It works in the majority of browsers. Done." It's a business decision.
  
  Graceful degradation is nice theory. That's all it is until you apply some form of constraints because it's discussed as if it remains abstract. Be realistically, how big a percentage of users will actually require access to a fully degraded website?
  
  Small. Very.
  
  Because the great majority of them use a browser similar to the CEO's. It's not really a bad measure unless the CEO is a techo-geek or Luddite. Few are.
26. Re:Javascript required? by hedwards · 2011-12-05 10:34 · Score: 1
  
  You do realize that Noscript does a lot of other things as well, right? That and just because pretty quickly everything gets enabled doesn't make noscript worthless. It just means that you don't receive as much protection. I personally find it to be quite helpful when I click a link from a search engine and end up somewhere I don't want to be.
27. Re:Javascript required? by bussdriver · 2011-12-07 07:56 · Score: 1
  
  True. They may not be exploited at the time you visit but when you return; it may not target your browser either. Sure, it is not fool proof; but blocking javascript completely isn't full protection either. ALLOWING flash is probably more of a risk anyhow.
  
  --
  Democracy Now! - uncensored, anti-establishment news
convincing implementation by cachimaster · 2011-12-04 11:47 · Score: 4, Interesting

The theory isn't new, but a convincing implementation is.
Convincing to who? to you?
ACM was quite convinced back in 2000 when they published the paper.
They obviously implemented it because it contains a lot of measurements.
1. Re:convincing implementation by osu-neko · 2011-12-04 12:25 · Score: 1
  
  The theory isn't new, but a convincing implementation is.
  Convincing to who? to you?
  ACM was quite convinced back in 2000 when they published the paper.
  They obviously implemented it because it contains a lot of measurements.
  Convincing to browser developers, obviously, who moved to fix the other problems fairly quickly but have, to date, done nothing about this one.
  And obviously, yes, they implemented a method for doing this back in 2000 for that paper. It's what's being referred to when the author notes, "Such attacks were historically regarded as fairly impractical, slow, and noisy - and perhaps more importantly, one-shot." What we have now, though, is a method that is fast, practical, and nondestructive.
  
  --
  "Convictions are more dangerous enemies of truth than lies."
2. Re:convincing implementation by Hentes · 2011-12-04 12:49 · Score: 2
  
  Convincing to browser developers, obviously, who moved to fix the other problems fairly quickly but have, to date, done nothing about this one.
  Are you kidding me? The CSS visited link vulnerability took ages to get fixed.
  
  What we have now, though, is a method that is fast, practical, and nondestructive.
  It's too inaccurate to be practical. Try it.
Re:but you have to run their software to do it... by lattyware · 2011-12-04 11:53 · Score: 4, Informative

Reality: Only a small number of users use NoScript et al. This is a problem for those that don't, and even if you do, what about when the site you want someone from requires JS?

--
-- Lattyware (www.lattyware.co.uk)
without javascript by Anonymous Coward · 2011-12-04 11:57 · Score: 4, Interesting

They say it can work without javascript, but I do not believe that. None of the samples work without javascript. In the paper, it says:

We omit the straightforward but tedious details of how to write HTML that causes popular browsers to make serialized accesses to files.
Can anyone provide this tedious, but allegedly straightforward, and extremely critical detail?
1. Re:without javascript by Anonymous Coward · 2011-12-04 12:15 · Score: 1
  
  HTML is typically rendered in the order that it is read, therefore its possible to know that A is requested before B etc
  With that in mind you can sandwich your request to twitter between two dummy requests to a server that you control.
  Server compares the timing on the dummy requests and can guess the timing for the real one.
2. Re:without javascript by Anonymous Coward · 2011-12-04 12:43 · Score: 1
  
  Wow, I was wondering the same thing, then I found this -
  http://whattheinternetknowsaboutyou.com/docs/details.html
  Skip down to the CSS section:
  <style>
  a#link1:visited { background-image: url(/log?link1_was_visited); }
  a#link2:visited { background-image: url(/log?link2_was_visited); }
  </style>
  <a href="http://google.com" id="link1">
  <a href="http://yahoo.com" id="link2">
  The background-image is only loaded on the visited state...
3. Re:without javascript by Hentes · 2011-12-04 12:53 · Score: 3, Informative
  
  This is already fixed in most browsers, you need to update/reconfigure yours.
4. Re:without javascript by Bogtha · 2011-12-04 13:30 · Score: 2
  
  There's a little more to it than that. Browsers open multiple connections in parallel. Historically, this was limited by the HTTP specification to two simultaneous connections, but recent versions of browsers have increased this limit. You'd have to detect how many simultaneous connections were in use (or hack it by detecting the browser) and make requests to enough tarpits to bog down all but one of the connections. It would probably be fairly reliable, but the work to build that just to demonstrate the flaw in a different way doesn't seem worth it.
  There are places where serial access is more well-defined though. Off the top of my head, the only one I can think of is downloading external scripts (because you can't know ahead of time which of them will call document.write(), but they may be thinking of another case that will apply even when scripts aren't being downloaded.
  
  --
  Bogtha Bogtha Bogtha
jacked or tracked: it's your choice by Anonymous Coward · 2011-12-04 12:08 · Score: 1

If it's a reputable site - my bank, my VOIP provider, even the main domain for youtube or something - sure, run the software. But random scripts from weird sites? You have to be a few cards short of a full deck to trust random shit from the internet. It's the damn *internet*. Anyone can do anything on it, so it only takes about three functional neurons to realize that you should use a bit of caution. Even if you don't get jacked, you'll get tracked!
1. Re:jacked or tracked: it's your choice by CapOblivious2010 · 2011-12-04 12:57 · Score: 5, Interesting
  
  I've only gotten one internet virus in my life - via the "executable GIF" exploit, from visiting NVIDIA.COM !!!
  
  If you think "reputable" means "safe", YOU'RE a few cards short of a full deck!
2. Re:jacked or tracked: it's your choice by icebraining · 2011-12-04 13:04 · Score: 2, Funny
  
  'Multiple exclamation marks,' he went on, shaking his head, 'are a sure sign of a diseased mind.'
  
  --
  Dilbert RSS feed
3. Re:jacked or tracked: it's your choice by uufnord · 2011-12-04 13:24 · Score: 1, Offtopic
  
  OMG THAT IS SO THOUGHT-PROVOKING!!!11!!111!11
  What did he say about unattributed quotes and unreferenced personal pronouns?
4. Re:jacked or tracked: it's your choice by PNutts · 2011-12-04 13:54 · Score: 1
  
  A guy I work with has been compromised twice: Once on his work PC visiting Drudge Report. The other was on his home PC while he was... err... never mind. Let's just say he's only been compromised once from a non-adult website and leave it at that.
5. Re:jacked or tracked: it's your choice by wvmarle · 2011-12-04 15:54 · Score: 1
  
  And that is exactly why these scripts are run in a browser, and not directly from your desktop or so.
  One of the tasks of a web browser is to provide a script jail, where scripts can run safely, and where they can access resources they need but nothing more. You are downloading stuff from the Internet to display - that's how web browsing works of course. And that is why I want to be able to put trust in my browser that it will do everything it can to prevent these scripts from breaking out of their jail, and from accessing information they have no right to. So far at least Firefox is doing a pretty decent job in that, and I have put my trust in that browser.
  Also I'm glad to read about this kind of attacks. I'm not surprised it can be done, there will always be leaks. Though it appears to be rather hard to do, and I hope Mozilla and their competitors will read this too and implement some feature that thwarts this type of attack, keeping the rest of us safe.
How by farnsworth · 2011-12-04 12:19 · Score: 5, Informative

This seems to work by loading well-known resources into an iframe and using a heuristic of the "time to load" to tell if it's cached or not. Hence, whether or not you have visited that site. I just scanned the source code, but this is what it looks like. It any case, it's not like this code reveals your history -- just whether or not your browser has visited one in a set of popular sites.

Yay stateless web.

--
There aint no pancake so thin it doesn't have two sides.
1. Re:How by mapkinase · 2011-12-04 13:50 · Score: 1
  
  1/ actually read the article
  2/ post cliff notes about it
  3/ points
  Works like a charm.
  Now on topic: I clicked and it shows nothing because of my OCD: Ctrl-Shift-Del, Enter.
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Private Browsing mode FTW! by pla · 2011-12-04 12:23 · Score: 3, Insightful

Subject says it all. I don't worry about cookies, cache, or malicious scripts (other than wastes-of-bandwidth) because every time I open FireFox, it looks shiny and new to the outside world.

When I visit a "sensitive" site, like my bank, I open a new browser session and close it when I finish. Aside from that, I just don't worry about it, and have never had a problem. Hell, even that great data-mining wizard Google - My home page and probably the single most frequent site I hit - Always defaults me to Georgia (presumably the location of my ISP's HQ), missing by over a thousand miles.
Easy enough by Baloroth · 2011-12-04 12:28 · Score: 4, Interesting

Tried the test for Opera, and it mostly worked (missed Newegg). Tried it in a private tab, didn't work at all. So, any site you don't want tracking you you load in a private tab. Which you should anyways.
Out of curiosity, I also tried the FF test (in Opera, still) and the IE test. The IE worked, better even than the dedicated test, while the FF test failed utterly. Curious.
And of course, as always, this test only works for the specific sites you test for, not generally. But that isn't surprising. Wasn't terribly fast, either, I'd certainly notice if you tested for hundreds or thousands of sites.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Alt-t, d, enter by Anonymous Coward · 2011-12-04 12:42 · Score: 3, Interesting

It's a dutch boy's thumb, but that quick key-combo clears history in Opera. I just habitually hit it between domains to kill tracking without screwing up sites that need cookies or js to function. Likely there's a Firefox equivalent.
What neither has by default is a way to do this automatically. Browser makers finally got around to letting us limit cookies to the visited site, but they could go much further.
Like just rig browser cache to be per domain -- there's no need for all domains to share the same cache.
Maybe it's the festish for 'fastest' browser? It just seems the makers aren't doing what can be done easily enough on modest modern machines to improve privacy.
A possible fix by Hentes · 2011-12-04 13:00 · Score: 2

While this specific implementation is very inaccurate, others using a similar method may work. An obvious workaround to these kind of attacks is to turn off caching, but that would increase loading times. I was wondering if there was a hack in some browser that would allow you to ban a site from using resources from another domain, whether it's by HTML or scripts. Does anyone know such a solution?
1. Re:A possible fix by Anonymous Coward · 2011-12-04 16:21 · Score: 1
  
  In FireFox the AddOn RequestPolicy does this. (www.requestpolicy.com)
2. Re:A possible fix by _0xd0ad · 2011-12-04 17:03 · Score: 3, Informative
  
  AdBlock Plus lets you do that very easily.
  e.g.
  Block fsdn.com on third-party sites except slashdot.org
  ||fsdn.com^$third-party,domain=~slashdot.org
  Block fbcdn.com on third-party sites except facebook.com, facebook.net, and fbcdn.net (write similar rules to block the other 3 facebook domains)
  ||fbcdn.com^$third-party,domain=~facebook.com|~facebook.net|~fbcdn.net
3. Re:A possible fix by FrootLoops · 2011-12-04 23:30 · Score: 1
  Other possible fixes:
  
  Add random delay when loading things: probably too much of an impact on loading times to be used
  
  Don't let scripts measure the passage of time while loading: awkward, but at least it has a low impact on other things; you'd also have to randomize the order in which things load to prevent an outside server from acting as a clock
4. Re:A possible fix by Hentes · 2011-12-04 23:38 · Score: 1
  
  Yeah blocking individual sites is possible, but imperfect from a security perspective.
5. Re:A possible fix by _0xd0ad · 2011-12-05 00:50 · Score: 1
  
  By which you mean it's limited to a finite number of sites?
  The number of sites they can check for is also finite.
  The number of sites in my history/cache is also finite.
  Note currently it's "yes" or "no", and "no" is indistinguishable from "blocked". They could make it slightly more reliable if they actively checked to see if I was blocking (e.g. Grooveshark pops up a warning box if it can't load the facebook integration).
6. Re:A possible fix by Hentes · 2011-12-05 01:07 · Score: 1
  
  While it's possible to create a rule for every site you visit, it is impractical. The number of sites they can check is irrelevant, because you don't know which sites they will be testing for. The number of sites in your cache can be limited, but what sites are in it changes constantly.
7. Re:A possible fix by GameboyRMH · 2011-12-05 01:50 · Score: 1
  
  If that's overkill for your requirements, I recommend Ghostery, which uses a blacklisting approach and includes a long list of tracking/ad services.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
8. Re:A possible fix by _0xd0ad · 2011-12-05 03:54 · Score: 1
  
  You'd probably think it impractical to go through the history and click "Forget About This Site" for sites which you don't want it remembering you visited. Which, in my case, is most of the sites I don't frequent.
Re:Multiple tests give conflicting results by icebraining · 2011-12-04 13:00 · Score: 3, Informative

That's because the test consists on downloading a file and measuring if it was instantaneous (cached) or not. Of course, the second time you run it, the script itself will have downloaded (and therefore put in cache) the same file, tricking itself.

--
Dilbert RSS feed
Fix: add a random delay for reporting time to load by bigtrike · 2011-12-04 13:19 · Score: 1

It seems like you could add a random delay of up to a couple hundred milliseconds before the browser reports that an iframe has successfully loaded, making it harder to tell by the timing.
Re:Fix: add a random delay for reporting time to l by Korin43 · 2011-12-04 13:21 · Score: 2

Except that would make JavaScript slower, which is the exact opposite of what the browser makers are going for.
Better have good gag reflexes by axlr8or · 2011-12-04 13:35 · Score: 5, Funny

Cuz if they wanna sniff my browser history they are in for a surprise.
Hard to block this by rlk · 2011-12-04 13:36 · Score: 4, Interesting

This kind of timing attack isn't easy to block.
Some kinds of timing attacks are. I think I heard once that a timing attack could be made against passwords in TOPS-20, because the passwords were stored in plaintext and compared one character at a time. The trick was to do the system call to check the password (or whatever it was) with the guess split across a page boundary (maybe the second page was forced out of memory or something). Since the system call would return as soon as one character didn't match, it was easy to see if the next character being guessed was correct or not. The fix was simple enough. Obviously there was a bit more to it than that, but I only heard this apocryphally as it was, and at that probably about 25 years ago.
This kind of thing is harder to fix, since it depends upon the difference between cache and non-cache access time, and the non-cached access time is not deterministic. It would be possible for the browser to introduce an artificial delay into the appropriate JavaScript calls, but that would make performance go down the tubes.
In any event, I tried it and the results didn't look very accurate (the first time, all of the sites it tried claimed that I had hit them; the secon time it caimed only one site was in cache, and after that it thought that nothing was).
Re:Fix: add a random delay for reporting time to l by bigtrike · 2011-12-04 13:44 · Score: 1

Yes, it definitely would. You could certainly limit the scope to only apply to cross domain queries for out of viewport/small/hidden iframes, but that still might cause slowness issues for legitimate uses.
Java gets such a hard time by ExtremeSupreme · 2011-12-04 13:45 · Score: 1

Java is considered such a security hole, and yet they sorted out this problem years ago. Java never could catch a break, geez.
1. Re:Java gets such a hard time by neonKow · 2011-12-05 04:06 · Score: 1
  
  Java doesn't deserve a break. It is still riddled with security holes, so if you don't need it for browsing, you're much better off without it. This goes double for corporate environments.
Suggest NoScript to implement Whitelist loader by Hyperhaplo · 2011-12-04 14:25 · Score: 3, Interesting

Perhaps you are both right.
Let's start with the idea that NoScript by default is enabled.
Let's continue with the notion that application management should be as minimal as possible.
I give firewall software as a good example. If it is not easy to do one of the following, then the software (in my opinion, for me) fails:
1) Monitor all software incoming / outgoing. Block anything not on the whitelist, log connections, provide an interface in the *background* for the user to allow or deny in the future as Rules
2) Monitor all software incoming / outgoing. Allow all by default, log all connections, provide an interface for the user to allow or deny in the future as Rules
NoScript does most of this already. What it lacks is a reliable whitelist, similar to that used by Ghostery or AdBlock Plus, which loads the user up with 99% of the Rules they need.
I agree with your comment. For most users, you can whitelist all major bank sites - knowing that 99% of the time the sites are fine.
If the user disagrees then they can modify this setting.
Add onto that list a whole bunch of sites where the root site should be able to be trusted; news sites - slashdot, news.com, guardian, age, newspapers, etc.
Built onto that well known commerical sites.
Make this list auto-update once per month; but not to override user set preferences.
There you go. A tool very similar in nature to Adblock Plus and Ghostery which upon startup has a configuration to protect users and supply 99% of the functionality needed.
If this was the case, then I would put this on lots of people's PCs, knowing that if there are issues then they can be dealt with.
Although, at the moment, Ghostery + AdBlock Plus on Firefox provide most of the protection needed in a usable, safe and coherent manner.

--
You have a sick, twisted mind. Please subscribe me to your newsletter.
Really? I call BS by Lawrence_Bird · 2011-12-04 14:29 · Score: 1

I ran this "test" three times in succession. First go it showed sites which yes I might have been to though one, Dogster I was fairly certain I had not. I then clicked it again and this time it came up with almost every site in green. Running a third time gave the same results as the first attempt.
1. Re:Really? I call BS by Anonymous Coward · 2011-12-04 15:30 · Score: 1
  
  Think about how it works and you will see why it gives you different answers if you run it.
2. Re:Really? I call BS by gl4ss · 2011-12-04 19:31 · Score: 1
  
  well, running safari it did get that I had visited slashdot.
  going to facebook, it for some reason thought I had gone to twitter though.
  (I know there's no "safari" version there, but the ie version did that)
  
  --
  world was created 5 seconds before this post as it is.
You would think so... by pscottdv · 2011-12-04 15:28 · Score: 3, Interesting

But according to how this exploit works they are not "completely different". They, in fact, have a small overlap. Apparently the exploit works by using JavaScript to load a file from a website and see how fast it loads. It infers you have been to a website if the file loads quickly.
They seem to have a trick to stop the process just before the browser puts the loaded file into the cache which prevents it from poisoning the very cache it is "testing".
Thus, setting cache to 0, which the OP recommends, and which I have been doing for years, is exactly the fix needed. I admit that I do not know he also disables history, as that would not help with this exploit.

--
this signature has been removed due to a DMCA takedown notice
1. Re:You would think so... by richkh · 2011-12-04 15:45 · Score: 1
  
  I'mt the OP. I don't disable history. I don't worry about server load either, because my proxy (I run ipcop on mini-ITX box) does the caching. The server doesn't get bombarded with multiple reloads, and the cache sniffing fails because the files aren't on the machine with the browser.
2. Re:You would think so... by icebraining · 2011-12-04 15:52 · Score: 4, Insightful
  
  The script doesn't actually analyze the cache, just the time it takes to load the resource, so if your proxy's cache is fast enough it might still be detected.
  
  --
  Dilbert RSS feed
3. Re:You would think so... by Pieroxy · 2011-12-04 21:42 · Score: 1
  
  Plus, for one machine compromised in your LAN, that's all the family's browsing history that gets leaked. Looks like the OP strategy is actually making things worse regarding this exploit.
  
  --
  Write boring code, not shiny code!
4. Re:You would think so... by pscottdv · 2011-12-05 03:44 · Score: 1
  
  Sorry, I meant GP.
  
  --
  this signature has been removed due to a DMCA takedown notice
Cache Experiment (Linux) by Anonymous Coward · 2011-12-04 17:00 · Score: 2, Interesting

I'm using Linux and I'm trying the same thing that I do with Adobe Flash... I /dev/null it...
cd to .mozilla/firefox/xxxxxxx.default (replace x's with your specific alphanumeric string)
rm -rf Cache (deletes Cache dir and all subfolders)
ln -s /dev/null Cache (creates symlink of Cache to /dev/null)
Since nothing escapes the event horizon that is /dev/null, your Cache is written but cannot be inspected by others seeking to pry into your well-deserved privacy.
So far, so good. I have noticed no slowness by doing this.
By the way, you can do this with Adobe Flash to prevent your LSO/Super/Flash cookies from being farmed as well.
In your home dir, delete both the .adobe and .macromedia dirs. Some distros only have one or the other. Debian and variants have both.
rm -rf .adobe .macromedia
ln -s /dev/null .adobe
ln -s /dev/null .macromedia
Now you can experience the benefits of Flash without exposing yourself to privacy concerns.
1. Re:Cache Experiment (Linux) by GameboyRMH · 2011-12-05 01:55 · Score: 1
  
  In either case, wouldn't doing this with the ~/.macromedia directory cause many Flash apps (especially video players that rely on the LSOs for storing buffered video) to malfunction?
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Convenience by pentadecagon · 2011-12-04 20:11 · Score: 2

Convenience comes at a price.
You can buy your bread and butter at the local grocery with all your neighbors watching.
Or you can disguise and go to the other end of town, which takes time and increases traffic.
Re:Multiple tests give conflicting results by xstonedogx · 2011-12-04 20:33 · Score: 1

It is meant to be non-destructive to the cache.

In all browsers, we can reliably abort the underlying request by changing the src= parameter of the frame as soon as we have a reasonable suspicion we're dealing with a cache miss.
In other words, they don't actually download the files. They request the files to see if the browser starts parsing them within a certain time frame (indicating a cached document). Regardless, they abort the request after that time limit and the document is never cached.
If it did download the files as you suggest, the second and subsequent tests would always give the result that all sites had been visited. The OP and others on the page are reporting different behavior.
I'm seeing occassional transient false positives on Firefox and I'm not really certain how that can be the case.
Assuming the OP is seeing repeated false positives, I would guess he is behind a caching proxy that is caching aborted requests and, after repeated attempts, occassionally getting those documents to the browser faster than the tool can abort the request.
Simple fix? by Sqr(twg) · 2011-12-05 04:06 · Score: 1

It seems to me there's an easy way to make browsers immune to this: Introduce random delays when cached resources are fetched from other sites via JavaScript.
In a well-designed web-page, the static (i.e. cached) resources are referenced in the html (often in the headers) and not subject to timing attacks as they can be fetched in random order.
When something is requested dynamically via JavaScript it is typically not the cache anyways, so there is rarely a performance penalty.
When there is a performance penalty, it is only on the order of a single http-request, even if a thousand resources are fetched from cache. (The random delay consumes no hardware resources, so the same number of requests can still be executed in parallel.)