[newsignup]

> The GIPHY service could use subtleties like TLS session resume or cache hits to try to correlate multiple requests as having come from the same client, even if they don't know the origin.

How would a cache hit mean same user tried to search? TLS session resume, I can understand but cache hit only means same resource was accessed not same user tried to access.

[StavrosK]

You cache a unique ID and then see if you get a hit.

[newsignup]

Which unique id? I thought the point of sending it via Signal was to not include any user id or any other id.

[StavrosK]

I don't know which attack the Signal guys had in mind, but usually how this works is that the server serves a file with a unique ID to a person, sees that it gets requested, then serves the same thing again in a subsequent request to a suspect, sees that it's not requested, and treats that as evidence that the two accounts are actually the same person.

It's obviously easier when you can correlate this with a single account, but that's the gist of the attack.

[newsignup]

Ah!

But this will correlate one file to that person and will not be able to correlate multiple file requests that they all belong to the exact same person.

[detaro]

Presumably the clients cache GIFs, maybe even search results, instead of re-fetching them every single time.