zenon/bachelorarbeit
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add references for Cache Control Directives

Browse Source
This commit is contained in:
Tobias Eidelpes 2020-08-25 14:12:28 +02:00
parent 6787090629
commit a108cd5778
2 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
methods.tex
View File

@ -762,20 +762,21 @@ attack.
Cache Control Directives can be supplied in the Cache-Control \gls{HTTP} header, Cache Control Directives can be supplied in the Cache-Control \gls{HTTP} header,
allowing rules about storing, updating and deletion of resources in the cache to allowing rules about storing, updating and deletion of resources in the cache to
be defined. Cache Control Directives make heavy use of \emph{\glspl{ETag}} and be defined. Cache Control Directives make heavy use of \emph{\glspl{ETag}}
\emph{Last-Modified \gls{HTTP} Headers} to determine whether a cached resource \cite{fieldingHTTPETag} and \emph{Last-Modified \gls{HTTP} Headers}
is stale and needs to be updated. Commonly, a collision-resistant hash function \cite{fieldingHTTPLastModified} to determine whether a cached resource is stale
is used to generate a unique hash of a cached resource which is sent along with and needs to be updated. Commonly, a collision-resistant hash function is used
the resource in the first \gls{HTTP} request. The resource and the hash—which is to generate a unique hash of a cached resource which is sent along with the
resource in the first \gls{HTTP} request. The resource and the hash—which is
stored in the \gls{ETag} header—is then cached by the client. On subsequent stored in the \gls{ETag} header—is then cached by the client. On subsequent
retrievals of the same \gls{URL}, the client checks for an expiration date on the retrievals of the same \gls{URL}, the client checks for an expiration date on
requested \gls{URL} via the Cache-Control and Expire headers. If the \gls{URL} the requested \gls{URL} via the Cache-Control and Expire headers. If the
has expired, the client sends a request with the \emph{If-None-Match} field set \gls{URL} has expired, the client sends a request with the \emph{If-None-Match}
with the \gls{ETag}. The server then compares the \gls{ETag} received by the field set with the \gls{ETag}. The server then compares the \gls{ETag} received
client with the generated \gls{ETag} of the resource on the server side. If the by the client with the generated \gls{ETag} of the resource on the server side.
two values match (i.e., the resource has not changed), the server can send back If the two values match (i.e., the resource has not changed), the server can
an \gls{HTTP} 304 Not-Modified status. Otherwise, the answer contains a full send back an \gls{HTTP} 304 Not-Modified status. Otherwise, the answer contains
\gls{HTTP} response with the modified resource and the newly generated a full \gls{HTTP} response with the modified resource and the newly generated
\gls{ETag}, which the client can cache again. Usage of \glspl{ETag} can \gls{ETag}, which the client can cache again. Usage of \glspl{ETag} can
therefore improve performance and cache consistency while at the same time therefore improve performance and cache consistency while at the same time
reducing bandwidth usage. reducing bandwidth usage.

26
references.bib
View File

@ -480,6 +480,22 @@ Web cache timing attacks},
series = {{{CCS}} '00} series = {{{CCS}} '00}
} }
@misc{fieldingHTTPETag,
title = {{{HTTP}}/1.1: {{ETag}}},
shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)},
author = {Fielding, Roy and Reschke, Julian},
url = {https://tools.ietf.org/html/rfc7232\#section-2.3},
urldate = {2020-08-25}
}
@misc{fieldingHTTPLastModified,
title = {{{HTTP}}/1.1: {{Last}}-{{Modified}}},
shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)},
author = {Fielding, Roy and Reschke, Julian},
url = {https://tools.ietf.org/html/rfc7232\#section-2.2},
urldate = {2020-08-25}
}
@misc{fieldingHTTPSemanticsContent2014, @misc{fieldingHTTPSemanticsContent2014,
title = {{{HTTP}}: {{Semantics}} and {{Content}} - {{Referer}}}, title = {{{HTTP}}: {{Semantics}} and {{Content}} - {{Referer}}},
shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)}, shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)},
@ -732,6 +748,16 @@ Impact of CSS-based history detection},
language = {English} language = {English}
} }
@inproceedings{juelsCacheCookiesBrowser2006,
title = {Cache Cookies for Browser Authentication},
booktitle = {2006 {{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{S P}}'06)},
author = {Juels, A. and Jakobsson, M. and Jagatic, T.N.},
year = {2006},
month = may,
pages = {5 pp.-305},
abstract = {Like conventional cookies, cache cookies are data objects that servers store in Web browsers. Cache cookies, however, are unintentional byproducts of protocol design for browser caches. They do not enjoy any explicit interface support or security policies. In this paper, we show that despite limitations, cache cookies can play a useful role in the identification and authentication of users. Many users today block conventional cookies in their browsers as a privacy measure. The cache-cookie tools we propose can help restore lost usability and convenience to such users while maintaining good privacy. As we show, our techniques can also help combat online security threats such as phishing and pharming that ordinary cookies cannot. The ideas we introduce for cache-cookie management can strengthen ordinary cookies as well. The full version of this paper may be referenced at www.ravenwhite.com}
}
@inproceedings{kaizerCharacterizingWebsiteBehaviors2016, @inproceedings{kaizerCharacterizingWebsiteBehaviors2016,
title = {Characterizing {{Website Behaviors Across Logged}}-in and {{Not}}-Logged-in {{Users}}}, title = {Characterizing {{Website Behaviors Across Logged}}-in and {{Not}}-Logged-in {{Users}}},
booktitle = {Proceedings of the 2016 {{Internet Measurement Conference}}}, booktitle = {Proceedings of the 2016 {{Internet Measurement Conference}}},