Caching and sizes, the explosion of responise codes (was Re: Caching and status codes)

Jason McBrayer jmcbray at carcosa.net
Mon Nov 9 23:02:41 GMT 2020

Previous message (by thread): Caching and sizes, the explosion of responise codes (was Re: Caching and status codes)
Next message (by thread): Caching and sizes, the explosion of responise codes (was Re: Caching and status codes)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Cowan <cowan at ccil.org> writes:

> I don't understand your reasoning there. What does a server learn by
> sending a 21 YOU CAN CACHE or 22 YOU SHOULD NOT CACHE response back
> instead of a plain 20 response? (I'm not a security expert and I know
> there are loopholes I don't see.)

The server operator gets a decent guess at whether the user has visited
the page before (within a reasonable caching window), because if you
sent a 21 YOU CAN CACHE, and they made the request, that means they
hadn't seen it recently. Combine this with query strings, IP addresses,
and/or fragment identifiers, and you can identify individual users, even
users who have refused to set a client certificate when you asked. It's
a pretty minor information leak, since it can't be used for cross-site
tracking. But give techbros an inch, and they'll take a mile.

-- 
Jason McBrayer      | “Strange is the night where black stars rise,
jmcbray at carcosa.net | and strange moons circle through the skies,
                    | but stranger still is lost Carcosa.”
                    | ― Robert W. Chambers,The King in Yellow

Previous message (by thread): Caching and sizes, the explosion of responise codes (was Re: Caching and status codes)
Next message (by thread): Caching and sizes, the explosion of responise codes (was Re: Caching and status codes)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list