Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sniffing Browser History Without Javascript

Posted by kdawson on from the hole-in-css dept.

Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."

17 of 216 comments (clear)

  1. Re:For the Masses by CopaceticOpus · · Score: 3, Insightful

    Anyone who allows their browser to cache and keep a history is stupid? Perhaps your tin foil hat is a size too small.

  2. Re:For the Masses by Goaway · · Score: 4, Insightful

    Some of us actually use the browser history.

  3. Re:big issue is NoScript by bcrowell · · Score: 1, Insightful

    Hmm...my GP post is modded -1 troll, and the parent post, which says "This is not a troll," and explains why, is also modded -1 troll. It's too bad that you can't both mod and comment; I'd have liked to know why the mods thought there was something trollish about both posts.

    --
    Find free books.
  4. Re:big issue is NoScript by bcrowell · · Score: 5, Insightful

    Stop overreacting, that is old news and long since fixed.

    Letting someone else's code run on my computer is an act of trust. Once they've shown they're untrustworthy, that's it, as far as I'm concerned. The world's best security software is no good if the author is someone who's demonstrated at least once that you can't trust him.

    NoScript is no more "malware" than Firefox itself.

    This is an interesting statement, but I don't understand your reasoning. Maybe you could explain more. Have the developers of Firefox done something untrustworthy?

    I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit,

    I don't understand how you know so much about my computer. Maybe you could explain more how you became so well informed about what's on my hard disk. I'm running Ubuntu. Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system? Are you aware of a lot of malware that's been observed in the wild infecting Ubuntu systems? If so, I'd be very interested to hear about it.

    --
    Find free books.
  5. Re:big issue is NoScript by bcrowell · · Score: 5, Insightful

    It seems like it's been fixed.

    The issue isn't that the software had a bug that had to be fixed. The issue is that the author of the software has shown himself to be untrustworthy by making his software interfere with other software, for the purpose of increasing his own financial gain from ads.

    --
    Find free books.
  6. Re:For the Masses by MightyYar · · Score: 5, Insightful

    Most people will never understand and basic exploits like this will always work against them.

    So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  7. Alarming? by actionbastard · · Score: 2, Insightful

    From an exploit standpoint, no. From an editorial standpoint, yes.

    --
    Sig this!
  8. Re:In Soviet Russia, web sites visit you by Anonymous Coward · · Score: 2, Insightful

    Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.

    Script plz?

    This has been a pet peeve of mine for ages. I've got a bunch of users in a Windows environment without Cygwin, but I'd translate the shell script into DOS .BAT if that's what it takes to solve this problem.

  9. Re:big issue is NoScript by Blue+Stone · · Score: 3, Insightful

    If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

    Unless you're one of those people who believes that anyone less than perfect with a flawless record of behaviour deserves to be castigated for all time for their transgressions, i suggest you consider a concept called 'forgiveness' which, I believe is most appropriate where the transgressor shows genuine remorse. It seems applicable in this situation, but of course, I can only speak for myself.

    (I don't know the guy & I use both noscript and adblock+ with easylist)

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  10. Re:big issue is NoScript by Korin43 · · Score: 5, Insightful

    Easylist blocks ads. Easylist blocked an ad on his site. How is this their fault? They are doing exactly what they say they do.

  11. Re:big issue is NoScript by Anonymous Coward · · Score: 1, Insightful

    You certainly speak for quite a few more than yourself. I for one am really glad someone said it - personally I think a lot of people got way too upset about this, many of which (from the arguments I've read) did not really understand the issue.

  12. Re:OT: Re:big issue is NoScript by BrokenHalo · · Score: 5, Insightful

    the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen.

    Then perhaps you haven't understood the concept behind the rule. The idea is to prevent individuals having unrestrained ability to push an agenda of their own: hence mod or post, but not both.

    Unlike some other long-standing rules on this forum, this is one that actually has very sound reasoning behind it.

  13. Re:big issue is NoScript by supernova_hq · · Score: 5, Insightful

    Don't confuse forgiveness with trust.

    If someone borrowed your car and backed into a telephone pole, you would be upset. If they paid for the damages, you would probably forgive them. But the question is: Would you trust them with your car..?

  14. Re:Old stuff by eiMichael · · Score: 5, Insightful

    Just make "visited" only apply within that domain, like a bastardized cookie. I don't care that us.gov knows which other us.gov links I've been to, but I don't want my browser reporting that I've also been to al-quada.org.

  15. Re:For the Masses by aamcf · · Score: 2, Insightful

    Unless you're visiting illegal sites.

    Or sites that are unpopular among your peer group.

    And what about people in repressive regimes who visit illegal sites?

    By exposing your history, there is pressure on you to conform to the standards of those who hold power over you. Not a good thing.

  16. Re:Will it.. by tiananmen+tank+man · · Score: 2, Insightful

    The parent post is marked informative? Informative like it is easy to tell who is a terrorist by the length of their beard?

  17. Re:big issue is NoScript by arose · · Score: 2, Insightful

    Half apology, half counterattack.

    Most of his users want stuff blocked not look at his ads, they don't consider him or google special, why not white list all advertisers, not only his own? Not to mention the update mill and resulting page visits. If he could manage to not realize what the hell he was doing once (and I'm not sure I believe that, the default white list and updates had made me iffy even before the incident), he can do it again. I don't want to be there when that happens, not after opening adblock plus one day and seeing white lists Inever added and Inever had EasyList, just a handful of manually added rules.

    --
    Analogies don't equal equalities, they are merely somewhat analogous.