Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sniffing Browser History Without Javascript

Posted by kdawson on from the hole-in-css dept.

Ergasiophobia alerts us to a somewhat alarming technology demonstration, in which a Web site you visit generates a pretty good list of sites you have visited — without requiring JavaScript. NoScript will not protect you here. The only obvious drawbacks to this method are that it puts a load on your browser, and that it requires a list of Web sites to check against. "It actually works pretty simply — it is simpler than the JavaScript implementation. All it does is load a page (in a hidden iframe) which contains lots of links. If a link is visited, a background (which isn't really a background) is loaded as defined in the CSS. The 'background' image will log the information, and then store it (and, in this case, it is displayed to you)."

27 of 216 comments (clear)

  1. Well, we fixed it... by slarrg · · Score: 4, Funny

    You can't tell what sites I've been to if it's Slashdotted!

  2. Old stuff by kasot · · Score: 5, Informative

    The CSS history hack has been known since (at least) August 2006: http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

    1. Re:Old stuff by Anonymous Coward · · Score: 4, Informative

      Long before that, honestly.

      There are Firefox extensions that can help protect against this (see http://www.safecache.com/ and http://www.safehistory.com/ ), but they break enough things on the web that even their creators admit they're not terribly practical.

      (Disclaimer: Two of the folks that worked on this also worked for awhile on Chromium with me.)

    2. Re:Old stuff by zmooc · · Score: 5, Informative

      Bug 57351 - css on a:visited can load an image and/or reveal if visitor been to a site
      Reported: 2000-10-19 16:57 PDT by Jesse Ruderman

      --
      0x or or snor perron?!
    3. Re:Old stuff by glodime · · Score: 5, Informative

      Bug 57351

      Was marked ass a duplicate of 147777
      See: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

      Vitaly Sharovatov and Walt Gordon Jones have an interesting back and forth on ideas for a proper fix. Search the page linked below for "Walt Gordon Jones" to follow the conversation.
      http://sharovatov.wordpress.com/2009/04/21/startpaniccom-and-visited-links-privacy-issue/

      Walt Gordon Jones summarizes his point:

      The idea that the only way to protect your history data is to give up keeping history at all seems broken to me. Just because the information is in the browser, and I may use it in other ways, doesn't mean it has to be used to mark up the rendered HTML on sites I visit. There's nothing that inextricably ties history to the browser's rendering engine.

    4. Re:Old stuff by eiMichael · · Score: 5, Insightful

      Just make "visited" only apply within that domain, like a bastardized cookie. I don't care that us.gov knows which other us.gov links I've been to, but I don't want my browser reporting that I've also been to al-quada.org.

    5. Re:Old stuff by Philip_the_physicist · · Score: 5, Interesting

      Alternatively, make browsers download all the pseudoclasses for links, so that it is impossible for sites to use this to track users, but without removing the utility of having marked "visited" links. This could be done by browsers without needing any change to the standards, AFAICT.

    6. Re:Old stuff by zobier · · Score: 4, Informative

      Alternatively, add
      a:visited { background-image: none ! important; }
      To your userContent.css
      I can confirm that this works.

      --
      Me lost me cookie at the disco.
  3. big issue is NoScript by bcrowell · · Score: 5, Informative

    I'd care a lot more about this if NoScript was still a viable option. NoScript has become malware at this point. The real issue is the need for someone more trustworthy to make a simpler, and more trustworthy replacement for NoScript. Please? Pretty please?

    --
    Find free books.
    1. Re:big issue is NoScript by Anonymous Coward · · Score: 5, Interesting

      This is not a troll. I wouldn't go so far as saying NoScript is malware, but the author is unscrupulous. For what the addon does, it sure gets updated a lot!

    2. Re:big issue is NoScript by bcrowell · · Score: 5, Insightful

      Stop overreacting, that is old news and long since fixed.

      Letting someone else's code run on my computer is an act of trust. Once they've shown they're untrustworthy, that's it, as far as I'm concerned. The world's best security software is no good if the author is someone who's demonstrated at least once that you can't trust him.

      NoScript is no more "malware" than Firefox itself.

      This is an interesting statement, but I don't understand your reasoning. Maybe you could explain more. Have the developers of Firefox done something untrustworthy?

      I'm sure you have more crapware and malware installed on your computer that you're blissfully unaware of than you care to admit,

      I don't understand how you know so much about my computer. Maybe you could explain more how you became so well informed about what's on my hard disk. I'm running Ubuntu. Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system? Are you aware of a lot of malware that's been observed in the wild infecting Ubuntu systems? If so, I'd be very interested to hear about it.

      --
      Find free books.
    3. Re:big issue is NoScript by bcrowell · · Score: 5, Insightful

      It seems like it's been fixed.

      The issue isn't that the software had a bug that had to be fixed. The issue is that the author of the software has shown himself to be untrustworthy by making his software interfere with other software, for the purpose of increasing his own financial gain from ads.

      --
      Find free books.
    4. Re:big issue is NoScript by Korin43 · · Score: 5, Insightful

      Easylist blocks ads. Easylist blocked an ad on his site. How is this their fault? They are doing exactly what they say they do.

    5. Re:big issue is NoScript by NimbleSquirrel · · Score: 4, Interesting

      On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.

      Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.

      I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.

    6. Re:big issue is NoScript by VGPowerlord · · Score: 5, Informative

      If anything, I'd say the author of Noscript has proved two things: one, that he is human and makes mistakes, and two, that he has the integrity of character to appologise for his mistakes and rectify them. Neither of which makes him any less trustworthy than anyone else.

      From what I hear, he only "apologized" and fixed the problem for several reasons:
      1. Because the Firefox devs said that NoScript was breaking Firefox's Add-on Policy when it started monkeying around with AdBlock Plus.
      2. NoScript's rating was plummeting on the Firefox Add-on site. If this rating drops too much, NoScript would no longer be considered a trusted add-on, and therefore every version would be subject to security review before it exited the Sandbox.

      Oh, yes, you read that correctly. NoScript is currently not reviewed before new versions go up on the Firefox add-on site.

      Incidentally, Mozilla made a new policy spelling out some restrictions for add-ons after this incident.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    7. Re:big issue is NoScript by supernova_hq · · Score: 5, Insightful

      Don't confuse forgiveness with trust.

      If someone borrowed your car and backed into a telephone pole, you would be upset. If they paid for the damages, you would probably forgive them. But the question is: Would you trust them with your car..?

    8. Re:big issue is NoScript by yoyhed · · Score: 4, Funny

      Are you aware of a lot of crapware that comes with a freshly installed Ubuntu system?

      Does Ubuntu come with emacs?

      --
      WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
  4. Re:Will it.. by orange47 · · Score: 4, Informative

    its easy to tell, with that nickname of yours.. :)

  5. How to interpret results by noidentity · · Score: 4, Funny
    If the server responds

    Service Temporarily Unavailable

    The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

    then it means you've come from Slashdot.

  6. Re:Doesn't work on me by Kotoku · · Score: 4, Funny

    Awesome! Now for all the people who can take and act upon that advice, we can protect .000001% of the population.

    It's a start!

    --
    AnimePapers.org: Anime Wallpapers Handled With Care
  7. Re:For the Masses by Goaway · · Score: 4, Insightful

    Some of us actually use the browser history.

  8. Re:It requires an iframe, so noscript will help yo by yacc143 · · Score: 5, Informative

    It does not require an iframe. It's just that this way it's easier to hide any visual clues.

    The basic hack works simple. It sets a different style for visited links. (As such it will only match exact URLs). And one of the cool things your style for visited links specifies is a background URL that works as a webbug.

    yacc

  9. Re:For the Masses by MightyYar · · Score: 5, Insightful

    Most people will never understand and basic exploits like this will always work against them.

    So what, we shouldn't fix it then? The fix is dead-simple: the browser should load all "a:visited" images, regardless of whether or not it will display them.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  10. Re:For the Masses by Opportunist · · Score: 5, Funny

    And some of us use one browser for their everyday surfing and one for the naughty pages... I mean, I would do that if I surfed to naughty pages, of course...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  12. Re:Chrome by Z80xxc! · · Score: 4, Informative

    would be a lot easier if I could run two separate instances of Firefox simultaneously.

    Send Firefox developers a polite nasty-gram, telling them that you want the ability to open a second, third, or even fourth instance of FF in seperate memory space.

    This functionality already exists.

    "%programfiles%\Mozilla Firefox\firefox.exe" -P "profile to use" -no-remote

  13. Re:OT: Re:big issue is NoScript by BrokenHalo · · Score: 5, Insightful

    the "no mod and comment" rule is perhaps one of the most ill-concieved rules I have seen.

    Then perhaps you haven't understood the concept behind the rule. The idea is to prevent individuals having unrestrained ability to push an agenda of their own: hence mod or post, but not both.

    Unlike some other long-standing rules on this forum, this is one that actually has very sound reasoning behind it.