A technique that exploits the way Web browsers store
recently viewed data could compromise Internet users' privacy by allowing an
attacker to check what sites a person has visited recently.
The exploit--called a "timing attack"--allows an unethical Web site to play
20 questions (or more) with a person's browser and check whether the surfer
has recently viewed any sites from a predetermined list.
An employer could use the technique on internal Web sites to see whether any
employees have been visiting the competition's job listings. A Web portal
could check whether a person has recently visited any of its sponsors.
"The attacks allow any Web site to determine whether or not each visitor has
recently visited some other site" or set of sites, Edward Felten, a
professor of computer science at Princeton University, and Michael
Schneider, a graduate student, wrote in a paper published at a technical
conference last month.
"The attacker can do this without the knowledge or consent of either the
user or the other site," they wrote.
The attack takes advantage of the data caches used by browsers to speed access to recently visited Web sites.
Caching is a technique that stores copies of frequently accessed data in a
nearby location, whether on a person's PC or on a server on the local area
network. The ability to store recently viewed items significantly reduces
the amount of data that has to move over the Internet.
How big a threat?
While the two researchers worry that the technique could be a threat to
people's privacy, Richard Smith, chief technology officer of the nonprofit
Privacy Foundation, said that the attack was more technically interesting
"In theory, it might offer some problems for privacy," he said. "Time
magazine could find out if you go to Newsweek and give you a better
offer--seems unlikely, though.
"But it is interesting," he added. "It shows how subtle these things can
What worries Felten and Schneider is the technique's efficiency.
By measuring how long it takes for a person's browser to load in a page
element--say, a graphic or a file--from another site, an attacker can
determine if the element is in the person's cache. If so, that means the person recently visited that other site.
For example, if the Webmaster of A.com wants to see whether visitors have
been to competitor Z.com, he would pick a cacheable Web element unique to
would be embedded in the pages of A.com.
When a surfer visits A.com, his or her browser would download the applet and attempt to access the file from Z.com. If the file is in the cache, the browser can quickly access it. Otherwise, it has to pull down the file from the Web, and that takes longer.
The technique can quite accurately gauge whether a site has recently been
accessed by any visitor.
in accuracy rates of greater than 98 percent. If the browser has those
features turned off, then a second method of successive HTML calls can
accurately gauge whether a person has visited a particular site about 94
percent of the time.
leads to unacceptable performance degradation, "there seems to be little
hope that effective countermeasures will be developed and deployed any time
soon," Felten and Schneider wrote.