On Tue, Feb 21, 2017 at 9:33 PM, Martin Thomson <
m...@mozilla.com> wrote:
> Also, Firefox isn't alone in caching intermediates. I think
> that you will find that other browsers all do the same thing.
>
The difference isn't that Firefox caches intermediates, it's that it
doesn't fetch non-cached ones. This paper describes taking advantage of
this fact to determine which intermediates have been cached in Firefox. You
might be able to use timing attacks to determine whether particular
intermediates have been cached in other browsers, but you'd only get one
sample per intermediate because it would be a destructive test. And then it
would be useless as an identifier to track the same person on a future
visit.
It's an interesting bit of information leakage. Less useful as a
"super-cookie" than HSTS, but probably equally bad news to Tor Browser
users.
-Dan Veditz