Slashdot Mirror
Your Browser History Is Showing
tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."
Comment removed based on user account deletion
It all depends on if your inprivate browser history changes the color of links when they are displayed (or in general obey the css style sheets for visited links). Perhaps someone with IE8 can test it out for us [I lack access to a windows machine]?
I tried it.
I got a black screen (apparently no history to be shown).
Either the engine is borked, or my privacy add-ins are working properly...
Or possible the Oracle of Browser History has determined that my history is darker than the darkest dark, and refused to show images.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
No Script baby
Keep the Classic Slashdot.
This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.
This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.
Microsoft actually did something right
You mean like the mode Safari had 4 years ago?
I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!
When my Karma level reaches 0 I feel in piece with the Universe
So, the choice is
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
Somehow, this doesn't seem right...
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.
I think the point can be explained this way: "who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?" Speaking generally about all user data and all remote IP addresses, all remote hosts are on a need-to-know basis and 99.999% of the time, they don't need to know. They particularly don't need to know without prompting the user and asking "do you want to give out this information?" with that question defaulting to "No" and a box, checked by default, which says "Remember this preference".
You can subtly dismiss it as paranoia if you like. That doesn't excuse poor design. Also, globally disabling the browser history would deny the remote Web site access to the browser's history, sure, but it would also deprive the user of this local feature. There should be a more reasonable alternative to either "lose this feature" or "make this feature available to anyone who asks with no regard for privacy." Apparently NoScript provides such an alternative.
It is a miracle that curiosity survives formal education. - Einstein
Comment removed based on user account deletion
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
How about
3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
Of course there is no reason this is still not fixed (by being able to disable a:visited style).
Quote from the final page of the script:
You can get your web2.0collage as a mug,wommens ...
I can have it as WHAT ? Okay, then can i have my wommens without the /. favicon all over them ?
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
Eh, noscript has become adware in the last year.
This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ It pertains to an ugly episode for which the NoScript author is rightfully apologetic.
It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.
Blasphemy is a human right. Blasphemophobia kills.
This has been known for several years, and none of the browsers have done anything to fix it.
Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).
It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).
And nobody will until someone constructs a detailed history of the porn sites that Steve Ballmer, Sergey Brin and Mitchell Baker have visited.
in firefox:
set layout.css.visited_links_enabled to FALSE in about config
This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.
I heard they collaborated and made their own.
Please mod: -1, Ewwwww.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
Sure there is. Have your browser always pull the visited and unvisited styles, then just display the relevant one. Problem solved.
I see France,
I see you shopping online at Victoria's Secret for underpants...
Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
The Web page (HTML, Javascript code, ...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links. The feedback is actually breaking the sandbox principle.
I actually think that the current direction to "the browser is the OS (or even worse, the Flash player in your browser is the OS)" is a security nightmare.
Hate to tell you, this /.'d sites methods are... Extremely overkill.. You can do the same thing without any Javascript at all.. So your little 'No Script' bubble has just been popped. http://www.making-the-web.com/misc/sites-you-visit/nojs/
I learned elsewhere in this thread that Firefox 3.5 has finally implemented such a feature, although it might be off by default and hidden (I'm not sure about that, though).