| Full text | Click to download. |
| Citation | To appear in the Proceedings of the WWW 2006 Conference.
|
| Authors | Collin Jackson
Andrew Bortz Dan Boneh John C. Mitchell |
Through a variety of means, including a range
of browser cache methods and inspecting the color of
a visited hyperlink, client-side browser state can be
exploited to track users against their wishes. This
tracking is possible because persistent, client-side
browser state is not properly partitioned on per-site
basis in current browsers. We address this problem by
refining the general notion of a "same-origin" policy.
We implemented two browser extensions that enforce
this policy on the browser cache and visited links.
We also analyze various degrees of cooperation
between sites to track users, and show that even if
long-term browser state is properly partitioned, it is
still possible for sites to use modern web features to
bounce users between sites and invisibly engage in
cross-domain tracking of their visitors. Cooperative
privacy attacks are an unavoidable consequence of all
persistent browser state that affects the behavior of
the browser, and disabling or frequently expiring this
state is the only way to achieve true privacy against
colluding parties.