Not particularly exciting, but perhaps of some interest to the audiences here: http://lcamtuf.coredump.cx/cachetime/ It's a fairly crude hack, so it will probably fail spectacularly in some circumstances, but the bottom line is that you can probably do high-performance, repeated cache timing. The most important trick here is to abort navigation so that the requested URL never actually gets requested and cached if not already in cache. Cheers, /mz

Definitely interesting. Despite the disclaimer, your hack also works well on Chrome. The webtiming paper <http://sip.cs.princeton.edu/pub/webtiming.pdf> you referenced suggests domain tagging as a (limited) counter measure. Domain Tagging would thwart your current PoC. But since it is ineffective against other forms of web timing attacks, and since it completely negates the advantage of public CDNs such as google libraries<http://code.google.com/apis/libraries/> - I don't think browsers are likely to implement it. The last line on that report makes me sad - > We are not aware of any practical countermeasures to these attacks. There > seems to be little hope that effective countermeasures > will be developed and deployed any time soon --Sri On 3 December 2011 05:39, Michal Zalewski <lcamtuf@coredump.cx> wrote: > Not particularly exciting, but perhaps of some interest to the audiences > here: > > http://lcamtuf.coredump.cx/cachetime/ > > It's a fairly crude hack, so it will probably fail spectacularly in > some circumstances, but the bottom line is that you can probably do > high-performance, repeated cache timing. The most important trick here > is to abort navigation so that the requested URL never actually gets > requested and cached if not already in cache. > > Cheers, > /mz > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

> Definitely interesting. Despite the disclaimer, your hack also works well on > Chrome. It may be by accident, but I don't think it works reliably; it was returning some false positives / false negatives for me. I have a Chrome variant that I started working on and that behaves well on one of my systems, but not yet on the other - check out chrome.html in the same directory if you're interested. In general, though, doing this in any browser is just a matter of investing few extra hours to fine-tune the navigation timings; the basic premise of being able to abort the request when you don't detect cache hit (indicated through a SOP exception on an <iframe>) within several milliseconds of starting navigation... that seems to work everywhere. /mz

Cool stuff, btw: it also works for guessing sites visited while in Private Browsing. Cesar. On 12/2/2011 9:09 PM, Michal Zalewski wrote: > Not particularly exciting, but perhaps of some interest to the audiences here: > > http://lcamtuf.coredump.cx/cachetime/ > > It's a fairly crude hack, so it will probably fail spectacularly in > some circumstances, but the bottom line is that you can probably do > high-performance, repeated cache timing. The most important trick here > is to abort navigation so that the requested URL never actually gets > requested and cached if not already in cache. > > Cheers, > /mz > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Just for the record: I greatly improved the original Firefox version (which now has a high success ratio according to the survey I added to the page); and added experimental variants for MSIE, Chrome, and Opera. Anyhow... /mz