A Google researcher has resurrected an attack that allows website operators to steal the browsing history of visitors almost a year after all major browser makers introduced changes to close the gaping privacy hole. Proof-of-concept code recently posted by Google security researcher Michal Zalewski works against the majority of …
So presumably, no cache means it doesn't work. I never have a cache turned on. It generally doesn't bother me if a page loads in 1 second or 10.
I always have Firefox set to not cache anything. But IE won't let you do that, and unfortunately occasionally one finds websites that only work with IE (here in the US, usually government sites.).
Goody for you
I never connect to the internet so it doesn't bother me either, duh
You could use the InPrivate browing mode in IE? That either doesn't cache, or it clears it when you close the browser.
Noscript is your friend
Simple workaround with many spin off benefits: treat your computer as a production machine,
How is that supposed to work?
Agreed. 90% of the time the problem is jscript. Solution is noscript
But we keep going through this every time, don't we.
People: turn off scripting. Do it now, get used to it being off. If you don't want to, don't moan here if you get sniffed/hacked. It's your tradeoff.
(@volsano: noscript or a high-level proxy is the right place to block jscript; a firewall typically works at a much lower level)
(@them who disable caching: that can significantly increase the load on the servers, hence their cost to run, which isn't fair on the majority of sites who don't abuse your browse)
re: How is that supposed to work?
Yes, idiot web designers use it indiscriminately. Noscript breaks them. I choose not to use those sites and if i have to then it runs in a VM. I'm prepared to make that tradeoff for security.
"tell NoScript to load everything or whitelist the site. Which really isn't much of an improvement in security"
Obviously security isn't a priority to you as you freely discard it. Your choice, your responsibility, your hackage, that's fine but please dont' whinge about it.
I'm surprised Google want to divulge this!
Wrongly or rightly, it would be worth a lot more to them if they kept this to themselves!
Why would they care?
Most of the internet seems to run urchintracker. They get all the data they need, and in rather more detail than this sort of snooping trick.
No surprise that it affects IE but I was a little surprised to find that other browsers were affected because as everyone knows, MS software is full of security holes!
Didn't work for me, even with all the noscript-type stuff disabled. The only sites it claimed it found were twitter and facebook, that I don't use.
I like the way the attack tries to work, though, very neat- I am sure it has traction in some cases.
Facebook and Twitter will show up if you don't block their buttons on other sites.
This one is tricky.
Delete browser history on exit. Delete temp files on exit.
Open new instance for each site you wish to visit.
Will this work in practice?
Surely once one website has tried to use this exploit, the cache will end up preloaded with the sites that were tested so the results will not be valid/reliable for subsequent trials?
If you look at the comments in his source code, you'll note that it cancels the requests before they can be completed if the site hasn't been cached. So it doesn't pollute its results if run repeatedly, and doesn't leave traces of having been run (aside from the script itself being cached, of course).
Sying turning off JS is a solution is a bit like saying you can make a computer more secure by not letting users run any programs... JS _is_ the internet to a significant extent in these days of AJAX and non-static pages.
Not too bothered
The exploit does not work for me; plus, all versions give roughly the same (erroneous) results (i.e. the versions which are not supposed to work do not work worst than the one which is supposed to work). Also, same results after clearing the cache.
Although to be honest there might or might not be a caching proxy between me and the wild wild web; if that is the reason, someone here lurvs Justin Bieber and someone else likes Playboy (I really hope they are not the same person).
failed for me
any site you have blocked via adblocker or similar will appear as "recently visited" in this test, since blocking is akin to "loading really fast" as far as your local cache is concerned.
No fair blaiming IE for working as it should
This example works by timing how long it takes the browsers to render the display, if the site has been cached then it is going to load quicker. This is a functional benefit to most surfing so yes you can turn of caching, most people have a decent connection now but the next "vilnerability" will be DNS caching shall we turn that off too?
If you have problems with using noscript then dont but as the previous post points out dont come b1tching to us that you failed to take reasonable measures of protection.
Flash get my votes for being worst vector
Doesn't this mean that you have to tell it what websites you want it to check for?... rather than just ask your computer which websites you've been to... if a NAT'd computer is behind a caching proxy, isn't it likely that you'll get the same results for every computer in that network as well...
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- NASA to reformat Opportunity rover's memory from 125 million miles away