Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Browser History Is Showing

Posted by samzenpus on from the wasted-days-and-wasted-art dept.

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

17 of 174 comments (clear)

  1. Not mine by Monoman · · Score: 4, Informative

    No Script baby

    --
    Keep the Classic Slashdot.
    1. Re:Not mine by gazbo · · Score: 5, Informative

      No Script may help in this case, but not in general. There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

    2. Re:Not mine by countertrolling · · Score: 3, Informative

      I third it. I never browse at work.

      --
      For justice, we must go to Don Corleone
    3. Re:Not mine by ekhben · · Score: 2, Informative

      Both use the same overall technique, which is that browsers display visited links differently to unvisited links. The JS implementation trawls a set of links looking for particular markers in the font colour or size, and the CSS implementation uses "a:visited {background-image:...}" to trick the browser into telling the server which links are visited and which are not.

      The Link Status extension for FF3.5 can disable the :visited pseudo-class, preventing both methods from working.

  2. It's slashdotted by tepples · · Score: 3, Informative
    Twice in a row, all I get is

    Expired

    This URL has expired. Please return to the home page.This is likely because of increased load. It shouldn't happen again.

  3. Re:Microsoft actually did something right by sam0vi · · Score: 5, Informative

    I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

    --
    When my Karma level reaches 0 I feel in piece with the Universe
  4. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  5. Re:This methodology is actually quite old by Anonymous Coward · · Score: 4, Informative

    New about:config setting in FF 3.5:
    layout.css.visited_links_enabled

    If "visited" is a useful feature for you check out SafeHistory:

    Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites

  6. Known since at least 2006 by ugen · · Score: 4, Informative

    http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

    Of course there is no reason this is still not fixed (by being able to disable a:visited style).

    1. Re:Known since at least 2006 by maxume · · Score: 2, Informative

      Bugzilla bug 57351 was reported in October of 2000:

      https://bugzilla.mozilla.org/show_bug.cgi?id=57351

      (Bugzilla may or may not still hate Slashdot, copy and paste if clicking the link does not work).

      --
      Nerd rage is the funniest rage.
  7. Re:Did not work for me by radtea · · Score: 3, Informative

    Eh, noscript has become adware in the last year.

    This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ It pertains to an ugly episode for which the NoScript author is rightfully apologetic.

    It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  8. Re:...So.... by Goaway · · Score: 2, Informative

    This has been known for several years, and none of the browsers have done anything to fix it.

  9. Re:...So.... by uglyduckling · · Score: 4, Informative

    Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).

  10. Re:...So.... by vidarh · · Score: 3, Informative
    Whether or not you can *read* the history of a browser is irrelevant if you want to know whether or not a user has visited a specific site. In that case you can simply create a page that will set appropriate CSS rules to make the browser try to load a specific background image for visited URL's for each site you want to check for. Then when the user loads your page, you'll get a barrage of what you call http pings, and all you need to do is collate that information and you know which of the sites you care about that the user has visited recently.

    It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).

  11. workaround in firefox by denominateur · · Score: 5, Informative

    in firefox:

      set layout.css.visited_links_enabled to FALSE in about config

    This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.

  12. Re:...So.... by Anonymous Coward · · Score: 1, Informative

    Then you investigate the DOM to see which is there...

  13. Re:Microsoft actually did something right by noirsoldats · · Score: 2, Informative

    Hate to tell you, this /.'d sites methods are... Extremely overkill.. You can do the same thing without any Javascript at all.. So your little 'No Script' bubble has just been popped. http://www.making-the-web.com/misc/sites-you-visit/nojs/