I saw the following article on the GOS blog: Google Search Pages Load Faster if You Use Google Toolbar. It turns out that Google added an experimental feature in the Google web servers and the Google toolbar to reduce the network traffic by supplying a dictionary of frequently used page elements (BTW, I find the fact of adding support for this to IE via toolbar ingenious).
Is it just me, or did others also instantly think: cool, yet an other way to profile web users to see if they visited a certain site (similar to the attacks which used time measurements to find out if a particular element is taken from the cache or fetched from the network). The document says that each dictionary is limited a domain though…
An other possible avenue of attack I see is that a malicious domain advertises the same dictionaries as a benign domain (either by specifying the target domain or the “.” domain) and inserts malicious content in the dictionary. The VCDiff content is protected by an Adler CRC, but one can generate content with a chosen CRC in linear time by adding just 4 bytes.
Picture taken from jovike’s photostream with permission.