Prefetching

Mon, 17 Sep 2007

Out of curiousity, I turned on the setting in firefox that asks you about every single cookie that a website wants to set. My thinking was that it would be annoying for the first few weeks, and then become tolerable (as it learns my preferences for the sites that I visit). The weird thing that I did notice was that when searching for various things on google, I would get requests for cookies from the website that came up as the #1 result, without me even clicking on the link. This made me a little nervous, as it seems like a case of my browser doing something that I didn't ask for, which is typically a sign of a security issue.

The cause of all this isn't very hard to understand. The html code which triggered my browser to visit another site was a link tag with a "rel" attribute of "prefetch": <link rel="prefetch" href="http://www.example.com/">. This is a hint from the webpage that we are probably about to visit http://www.example.com/ and that we might want to download that webpage now, so when we click on the link, then the page is ready to be displayed already. If it guesses correctly, it should speed up your web browsing lots, because you typically read a page before clicking any of the links on it, so if those links are already loaded before you click on them, then that will be great.

So what types of things could a malicious user do? The thing which comes to my mind is faking clicks on an ad (to get money), faking clicking on links as the user (if the user is logged into a website, then an attacker may be able to do stuff without your permission on that website). Those are the two big things I can think of, but when you look at what an attacker has to do, I think the threat is quite small. The main problem is that once the attacker is in a position where they can get your browser to do the fetching of a link behind your back, there are heaps of other ways they could do the same thing (like an invisible iframe, or some javascript, or whatever) (actually they can do far worse things, since a prefetch doesn't mean that the html will be rendered, only downloaded). This is typically called a XSS attack, and it is a problem when someone can put whatever they want on your website. The comments form on this page has a very simple prevention of such attacks by stripping out almost everything.

An example http request sent when I search for "yahoo"

Now, although I don't think this prefetch thing is a hugely big problem, there is a danger in having google doing prefetches (note that it doesn't do prefetches for every search, I think it is only for pages with a high enough pagerank - compare gmail vs friendly robot overlord). Suppose you are the person who gets the #1 result from google when people search for "bimijinklix" (which will probably be this site in a few weeks) and your page has a high enough page-rank to get prefetched. Once you have this, anyone who searches for "bimijinklix" will automatically download your page. Now all you have to do is change what they download, so instead of getting your page, maybe they get the page that they go to when they click on one of your banner ads (which earns you $400 per click). This is a bit more difficult, because at least at this stage, firefox doesn't follow redirects in prefetches. What you can do is modify your DNS records, so instead of going to the real server for your site, they go to the ad company's server. There are a whole lot of places where this can go wrong (and you only get to choose the IP address of the server, not the actual page requested, and any ad server worth its salt will always be handing out unique links every time an ad is requested, so it would just look like one ad being clicked on lots of times), and it is probably too complicated to be worth doing (especially since a user will probably click on the first link from google anyway).

The only other thing which I'm slightly nervous about is that the website you search for can get and set cookies without you visiting their site. So if you own the #1 spot on google for a particular query and you have high enough pagerank to get prefetches, you can automatically profile how many people are searching for a particular keyword, and you can track how many times an individual does such a search.

You can turn this off if you don't like all this stuff (go to about:config and search for "prefetch"). I'm not sure, but you might need to restart firefox to get it back on. I can't seem to get it to work now I've turned it off. I will be keeping it on, since the risks are so minor, and I'm blocking nearly every cookie now, so there isn't much of a privacy issue.

/random Permalink
Some servers disallow prefetchers because their bandwidth costs have gone up since Firefox added that feature. I think it was Mathematica or Mathworld that I found blocking me a while back (they seem to have removed that block). Take a look at http://skattertech.com/2006/02/how-to-block-fasterfox-requests/
Tom Barta
21 hours after story
Name & email are optional. Email will not be obfuscated.
HTML tags will be removed except hyperlinks.
 

About

I'm a nerd living in Sydney. This is a place where I can write stuff about my interests and not care that no one else is reading.

I like music, maths, programming, pretty pictures, filters and other good things.

(more info)

It should be fairly obvious that this isn't connected to my employer at all.

Email me (not a catchpa)

Email policy

Subscribe

RSS Feed RSS

Get an aggregator

Liferea (Linux)

Vienna (OSX)

Feedreader (Windows)

Google Reader (Web based)

I've only used Liferea, so I can't vouch for the other ones.

About this site

This site runs a (modified) version of blosxom.

The host is GeekISP, and they seem to do an excellent job.