Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2021

Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users

Résumé

Many browser cache attacks have been proposed in the literature to sniff the user's browsing history. All of them rely on specific time measurements to infer if a resource is in the cache or not. Unlike the state-of-the-art, this paper reports on a novel cache-based attack that is not a timing attack but that abuses the HTTP cache-control and expires headers to extract the exact date and time when a resource was cached by the browser. The privacy implications are serious as this information can not only be utilized to detect if a website was visited by the user but it can also help build a timeline of the user's visits. This goes beyond traditional history sniffing attacks as we can observe patterns of visit and model user's behavior on the web. To evaluate the impact of our attack, we tested it on all major browsers and found that all of them, except the ones based on WebKit, are vulnerable to it. Since our attack requires specific HTTP headers to be present, we also crawled the Tranco Top 100K websites and identified 12,970 of them can be detected with our approach. Among them, 1,910 deliver resources that have expiry dates greater than 100 days, enabling long-term user tracking. Finally, we discuss possible defenses at both the browser and standard levels to prevent users from being tracked.
Fichier principal
Vignette du fichier
dejavu-pets21.pdf (770.44 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)

Dates et versions

hal-03017222 , version 1 (16-12-2020)

Identifiants

  • HAL Id : hal-03017222 , version 1

Citer

Vikas Mishra, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy. Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users. PETS 2021 - The 21th International Symposium on Privacy Enhancing Technologies, Jul 2021, Virtual, France. ⟨hal-03017222⟩
353 Consultations
1043 Téléchargements

Partager

Gmail Facebook X LinkedIn More