From a108cd57788722c04b9e850695154e19a4063718 Mon Sep 17 00:00:00 2001 From: Tobias Eidelpes Date: Tue, 25 Aug 2020 14:12:28 +0200 Subject: [PATCH] Add references for Cache Control Directives --- methods.tex | 27 ++++++++++++++------------- references.bib | 26 ++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/methods.tex b/methods.tex index 9e8d6b3..23bcaa7 100644 --- a/methods.tex +++ b/methods.tex @@ -762,20 +762,21 @@ attack. Cache Control Directives can be supplied in the Cache-Control \gls{HTTP} header, allowing rules about storing, updating and deletion of resources in the cache to -be defined. Cache Control Directives make heavy use of \emph{\glspl{ETag}} and -\emph{Last-Modified \gls{HTTP} Headers} to determine whether a cached resource -is stale and needs to be updated. Commonly, a collision-resistant hash function -is used to generate a unique hash of a cached resource which is sent along with -the resource in the first \gls{HTTP} request. The resource and the hash—which is +be defined. Cache Control Directives make heavy use of \emph{\glspl{ETag}} +\cite{fieldingHTTPETag} and \emph{Last-Modified \gls{HTTP} Headers} +\cite{fieldingHTTPLastModified} to determine whether a cached resource is stale +and needs to be updated. Commonly, a collision-resistant hash function is used +to generate a unique hash of a cached resource which is sent along with the +resource in the first \gls{HTTP} request. The resource and the hash—which is stored in the \gls{ETag} header—is then cached by the client. On subsequent -retrievals of the same \gls{URL}, the client checks for an expiration date on the -requested \gls{URL} via the Cache-Control and Expire headers. If the \gls{URL} -has expired, the client sends a request with the \emph{If-None-Match} field set -with the \gls{ETag}. The server then compares the \gls{ETag} received by the -client with the generated \gls{ETag} of the resource on the server side. If the -two values match (i.e., the resource has not changed), the server can send back -an \gls{HTTP} 304 Not-Modified status. Otherwise, the answer contains a full -\gls{HTTP} response with the modified resource and the newly generated +retrievals of the same \gls{URL}, the client checks for an expiration date on +the requested \gls{URL} via the Cache-Control and Expire headers. If the +\gls{URL} has expired, the client sends a request with the \emph{If-None-Match} +field set with the \gls{ETag}. The server then compares the \gls{ETag} received +by the client with the generated \gls{ETag} of the resource on the server side. +If the two values match (i.e., the resource has not changed), the server can +send back an \gls{HTTP} 304 Not-Modified status. Otherwise, the answer contains +a full \gls{HTTP} response with the modified resource and the newly generated \gls{ETag}, which the client can cache again. Usage of \glspl{ETag} can therefore improve performance and cache consistency while at the same time reducing bandwidth usage. diff --git a/references.bib b/references.bib index cbdbf6d..15462ee 100644 --- a/references.bib +++ b/references.bib @@ -480,6 +480,22 @@ Web cache timing attacks}, series = {{{CCS}} '00} } +@misc{fieldingHTTPETag, + title = {{{HTTP}}/1.1: {{ETag}}}, + shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)}, + author = {Fielding, Roy and Reschke, Julian}, + url = {https://tools.ietf.org/html/rfc7232\#section-2.3}, + urldate = {2020-08-25} +} + +@misc{fieldingHTTPLastModified, + title = {{{HTTP}}/1.1: {{Last}}-{{Modified}}}, + shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)}, + author = {Fielding, Roy and Reschke, Julian}, + url = {https://tools.ietf.org/html/rfc7232\#section-2.2}, + urldate = {2020-08-25} +} + @misc{fieldingHTTPSemanticsContent2014, title = {{{HTTP}}: {{Semantics}} and {{Content}} - {{Referer}}}, shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)}, @@ -732,6 +748,16 @@ Impact of CSS-based history detection}, language = {English} } +@inproceedings{juelsCacheCookiesBrowser2006, + title = {Cache Cookies for Browser Authentication}, + booktitle = {2006 {{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{S P}}'06)}, + author = {Juels, A. and Jakobsson, M. and Jagatic, T.N.}, + year = {2006}, + month = may, + pages = {5 pp.-305}, + abstract = {Like conventional cookies, cache cookies are data objects that servers store in Web browsers. Cache cookies, however, are unintentional byproducts of protocol design for browser caches. They do not enjoy any explicit interface support or security policies. In this paper, we show that despite limitations, cache cookies can play a useful role in the identification and authentication of users. Many users today block conventional cookies in their browsers as a privacy measure. The cache-cookie tools we propose can help restore lost usability and convenience to such users while maintaining good privacy. As we show, our techniques can also help combat online security threats such as phishing and pharming that ordinary cookies cannot. The ideas we introduce for cache-cookie management can strengthen ordinary cookies as well. The full version of this paper may be referenced at www.ravenwhite.com} +} + @inproceedings{kaizerCharacterizingWebsiteBehaviors2016, title = {Characterizing {{Website Behaviors Across Logged}}-in and {{Not}}-Logged-in {{Users}}}, booktitle = {Proceedings of the 2016 {{Internet Measurement Conference}}},