Advertisement

Rotten Cellar: Security and Privacy of the Browser Cache Revisited

  • Florian DehlingEmail author
  • Tobias Mengel
  • Luigi Lo Iacono
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)

Abstract

Web browsers use HTTP caches to reduce the amount of data to be transferred over the network and allow Web pages to load faster. Content such as scripts, images, and style sheets, which are static most of the time or shared across multiple websites, are stored and loaded locally when recurring requests ask for cached resources. This behaviour can be exploited if the cache is based on a naive implementation. This paper summarises possible attacks on the browser cache and shows through extensive experiments that even modern web browsers still do not provide enough safeguards to protect their users. Moreover, the available built-in as well as addable cache controls offer rather limited functionality in terms of protection and ease of use. Due to the volatile and inhomogeneous APIs for controlling the cache in modern browsers, the development of enhanced user-centric cache controls remains—until further notice—in the hands of browser manufacturers.

Keywords

Browser cache Security Privacy 

References

  1. 1.
    Chrome APIs - Google Chrome. https://developer.chrome.com/extensions/api_index. Accessed 05 Sept 2019
  2. 2.
    chrome.webRequest - Google Chrome. https://developer.chrome.com/extensions/webRequest. Accessed 05 Sept 2019
  3. 3.
    Double-keyed HTTP cache Issue #904 whatwg/fetch. https://github.com/whatwg/fetch/issues/904. Accessed 05 Sept 2019
  4. 4.
    Partition the HTTP Cache - Chrome Platform Status. https://www.chromestatus.com/feature/5730772021411840. Accessed Sept 05 2019
  5. 5.
  6. 6.
    Firefox user 13863091: Cache it out. https://addons.mozilla.org/en-US/firefox/addon/cache-it-out/. Accessed 05 Sept 2019
  7. 7.
    Akhawe, D., Braun, F., Marier, F., Weinberger, J.: Subresource Integrity. W3c Reccomendation, W3C (2016). https://www.w3.org/TR/SRI/. Accessed 05 Sept 2019
  8. 8.
    Bansal, C., Preibusch, S., Milic-Frayling, N.: Cache timing attacks revisited: efficient and repeatable browser history, OS and network sniffing. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 97–111. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18467-8_7CrossRefGoogle Scholar
  9. 9.
    Digital, b.: Opera extension to disable browser cache, perfect for developers: biati-digital/opera-disable-cache. https://github.com/biati-digital/Opera-disable-cache. Accessed 05 Sept 2019
  10. 10.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, CCS 2000, Athens, Greece, pp. 25–32. ACM, New York (2000).  https://doi.org/10.1145/352600.352606
  11. 11.
    Fielding, M.N.R., Reschke, J.: RFC 7234: hypertext transfer protocol (HTTP/1.1): caching. Technical report RFC 7234, IETF (2014)Google Scholar
  12. 12.
    Fielding, R., et al.: RFC 2616: hypertext transfer protocol-(HTTP/1.1). Technical report RFC 2616, IETF (1999)Google Scholar
  13. 13.
    Fielding, R., Reschke, J.: RFC 7232: hypertext transfer protocol (HTTP/1.1): conditional requests. Technical report RFC 7232, IETF (2014)Google Scholar
  14. 14.
    Fleischer, G.: Implementing web tracking. In: Black Hat USA 2012 Conference Briefings, pp. 1–37 (2012)Google Scholar
  15. 15.
    Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting HTTPS attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015).  https://doi.org/10.1016/j.cose.2015.07.004CrossRefGoogle Scholar
  16. 16.
    Jia, Y., Dong, X., Liang, Z., Saxena, P.: I know where you’ve been: geo-inference attacks via the browser cache. IEEE Internet Comput. 19(1), 44–53 (2015).  https://doi.org/10.1109/MIC.2014.103CrossRefGoogle Scholar
  17. 17.
    Juels, A., Jakobsson, M., Jagatic, T.N.: Cache cookies for browser authentication. In: 2006 IEEE Symposium on Security and Privacy (S P 2006), pp. 5–305, May 2006.  https://doi.org/10.1109/SP.2006.8
  18. 18.
  19. 19.
    Kuppan, L.: Attacking with HTML5 (2010). https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf. Accessed 05 Sept 2019
  20. 20.
    Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings 2019 Network and Distributed System Security Symposium, San Diego, CA. Internet Society (2019).  https://doi.org/10.14722/ndss.2019.23386
  21. 21.
  22. 22.
    Nguyen, H.V., Lo Iacono, L., Federrath, H.: Systematic analysis of web browser caches. In: Proceedings of the 2nd International Conference on Web Studies, WS.2 2018, Paris, France, pp. 64–71. ACM, New York (2018).  https://doi.org/10.1145/3240431.3240443
  23. 23.
    Odvarko, J., Jain, A., Davies, A.: HTTP Archive (HAR) format (2019). https://w3c.github.io/web-performance/specs/HAR/Overview.html Accessed 05 Sept 2019
  24. 24.
  25. 25.
    Reimer, M.: Toggle cache. https://addons.mozilla.org/de/firefox/addon/togglecache/?src=search. Accessed 05 Sept 2019
  26. 26.
    Saltzman, R., Sharabani, A.: Active man in the middle attacks. OWASP AU (2009). http://www.security-science.com/pdf/active-man-in-the-middle.pdf. Accessed 05 Sept 2019
  27. 27.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium, vol. 8, SSYM 1999, Washington, D.C., pp. 14–14. USENIX Association, Berkeley (1999). http://dl.acm.org/citation.cfm?id=1251421.1251435

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.TH Köln University of Applied SciencesCologneGermany

Personalised recommendations