Rapid history extraction through non-destructive cache timing (v8)

The goal here is to implement fast, reliable, and non-destructive extraction of browsing history by observing cache timings, without exploiting any specific browser quirks. Such attacks were historically regarded as fairly impractical, slow, and noisy - and perhaps more importantly, the initial measurement inevitably tainted the cache for the foreseeable future (such is the case in the well-known paper by Ed Felten). Consequently, as opposed to CSS :visited selectors, no realistic plans have been made to address the underlying weakness, spare some experimental and now-defunct browser add-ons.

While this code is still somewhat crude and fails for a small percentage of visitors, it appears that repeated high-performance cache sniffing is a viable possibility. The approach should allow several hundred URLs to be tested per second without disrupting the cache or causing other side effects. For more, check out these links:

Please select the version you wish to view:

PS. You may also want to check out a "competing" variant inspired by my original post - see here. The author is leveraging image timing for Firefox, and noticing that in WebKit, image navigation can be aborted with window.stop(). His code is fairly sensitive to machine performance and does not work for me very reliably, but it's a good alternative in non-MSIE browsers.

Comments? You can always reach me at lcamtuf@coredump.cx.
If you are using NoScript or other privacy tools, the test will fail even if you whitelist this site.