New issue
Advanced search Search tips

Issue 718283 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

HTTP caching impacts privacy of visited sites via timing leaks

Reported by andrew.t...@gmail.com, May 4 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36

Steps to reproduce the problem:
1. Open new incognito window, navigate to http://jsfiddle.net/duygh87x/
2. Get message that you haven't visited a certain site before, close incognito window
3. Open new incognito window, navigate to http://www.huffingtonpost.com/
4. Open new tab in same incognito window, navigate to http://jsfiddle.net/duygh87x/
5. Get message that you've visited a certain site before

What is the expected behavior?
My thoughts:

1. http://hostname2 shouldn't get a 304 for a resource originally requested by http://hostname1
2. https://hostname1 shouldn't get a 304 for a resource originally requested by http://hostname1
3. http://hostname1:foo shouldn't get a 304 for a resource originally requested by http://hostname1:bar

What went wrong?
A third party is able to guess what sites you've visited by examining the load times of cache-able resources from a different site.

Did this work before? No 

Chrome version: 58.0.3029.96  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by elawrence@chromium.org, May 4 2017

Components: Internals>Network>Cache Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: HTTP caching impacts privacy of visited sites via timing leaks (was: Consider caching resources by host name / protocol / port instead of globally)
As described, this isn't a security vulnerability in Chrome; it's a privacy issue inherent in the design of the web.

The proposal described here would have significant impact on the performance of the web.

Comment 2 by mmenke@chromium.org, May 4 2017

Status: WontFix (was: Unconfirmed)
This is expected behavior.  The promise of incognito is that once you close all incognito tabs, there's no local record of your session.  Incognito windows share in-memory caches, as well as an in-memory cookie store, so standard timing attacks work against them.

Comment 3 by andrew.t...@gmail.com, May 4 2017 

The use of incognito was just a testing detail, to illustrate the approach if you had / had not visited the targeted domain (HuffPost) before. But it would be nice if incognito worked this way. I understand the proposed solution would render any CDN useless if applied generally.

To your point, users can easily block 3rd party / tracking cookies from settings. AFAIK they can't manage / disable caching without the use of dev tools.

Comment 4 by elawrence@chromium.org, Jan 8 2018 

 Issue 800118  has been merged into this issue.

Sign in to add a comment