关键词: Web安全, 缓存污染防御, 中间人攻击, 用户行为, 用户体验

Abstract: Browser cache is mainly used to speed up the request procession of network resources in order to achieve good user experience. But it also faces security threats. Attackers can implement cache pollution attack via man-in-the-middle attacks. The polluted resource will be stay in user’s cache for a long time if they do not used to clean the cache. Regardless of the way in which the attacker takes, the purpose is to pollute the user’s browser cache. We propose a controllable browser cache pollution defense strategy which is deployed between the client and the server. The strategy does not focus on whether user’s cache is contaminated or not. It includes three types of judgement: random number, request-response delay and the popularity of resource. It also includes hash verification and crowdsourcing strategy. Finally we take simulation experiments via man-in-the-middle attack to pollute 100 samples which compare with 100 normal samples by the defense strategy. The result indicates that the hit-rate of polluted resource is 87% and the false positive rate of normal samples is 0% under loose conditions. While the former decreases to 95% and the latter decreases to 4% under strict conditions. The strategy simplifies the process of cache pollution prevention. It also makes tradeoff between the security and usability with different parameters to satisfy different users.

Key words: Keywords: Web Security, Cache Defense Strategy, Man-In-The-Middle Attack, User Behavior, User Experience