Measuring the time it takes for users to retrieve Web elements, Princeton researchers discover a subtle new way to determine what sites they've recently visited.
A technique that exploits the way in which Web browsers store recently viewed data could compromise privacy by allowing an attacker to check what sites a Netizen has visited recently.
Called a "timing attack," the exploit allows an unethical Web site to play 20 questions (or more) with a user's browser and check whether the surfer has recently viewed sites from a predetermined list.
An employer could use the technique on internal Web sites to see whether employees have been visiting competitors' job listings. A Web portal could check if a user has recently visited any of its sponsors.
"The attacks allow any Web site to determine whether or not each visitor has recently visited some other site (or set of sites)," said Princeton University computer science professor Edward Felten and graduate student Michael Schneider in a paper published at a technical conference last month. "The attacker can do this without the knowledge or consent of either the user or the other site."
The attack takes advantage of the data caches that browsers use to speed access to users' recently visited Web sites.
Caching is a technique that stores copies of frequently accessed data in a nearby location, whether on the user's PC or on a server on the local area network. The ability to store recently viewed items significantly reduces the amount of data that has to move over the Internet.
That kind of efficiency worries Felten and Schneider, however.
Timing is everything
By measuring how long it takes for a user's browser to load a page
element, such as a graphic or file, from another site, an attacker
can determine if the element is in the user's cache. If so, it means
the user recently visited the site.
For example, if the webmaster of A.com wanted to see if users had visited the competition, Z.com, he or she would pick a cacheable Web element unique to Z.com, say, its logo. The webmaster could then write a Java or JavaScript applet to measure the time it takes to access the file and embed the program in the pages of A.com.
When a surfer visits A.com, his or her browser would download the applet and attempt to access the file from Z.com. If the file was in the cache, the browser will have ready access to it. Otherwise, the browser has to pluck the file from the Web, and that takes longer.
Felten and Schneider found that embedded Java or JavaScript applets produced accuracy rates greater than 98 percent.
If a browser has those features turned off, a second method of successive HTML calls can accurately gauge whether a user has visited a particular site about 94 percent of the time.
Because Java and JavaScript are not necessary and switching off caching can cause unacceptable performance degradation, "there seems to be little hope that effective countermeasures will be developed and deployed any time soon," Felten and Schneider wrote in their paper.
While the two researchers believed the technique could be a threat to user's privacy, Richard Smith, chief technology officer of the non-profit Privacy Foundation, thought that the attack was more technically interesting then threatening.
"In theory, it might offer some problems for privacy," he said. "Time magazine could find out if you go to Newsweek and give you a better offer -- seems unlikely, though."
"But, it is interesting," he added. "It shows how subtle these things can be."