5 comments

[ 3.1 ms ] story [ 19.7 ms ] thread
The slides explain what this is for much better than the README. The goal is to exfiltrate data from a compromised endpoint in a "high-security enterprise" in a way that's difficult to detect.

The "sender" makes requests (or doesn't make them, to send 0 vs. 1) on a pre-determined schedule to an unpopular resource on a popular, unaffiliated third-party server. The "receiver" can request the same resource a few seconds later, and can determine based on the cache-related HTTP headers returned whether the page was generated recently or just now, with the current request. This of course requires the server to expose information about server-side caching via the headers; the example given is that the Expires header may be used to infer the original generation time.

A much better attack is the timing channel: A page which accesses resources from disk will be faster if someone else has accessed it recently. I don't know why they missed that...
(comment deleted)