Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser History Sniffing Is Back

Posted by timothy on from the this-time-it's-interstitial dept.

An anonymous reader writes "Remember CSS history sniffing? The leak is plugged in all major browsers today, but there is some bad news: in a post to the Full Disclosure mailing list, security researchers have showcased a brand new tool to quickly extract your history by probing the cache, instead. The theory isn't new, but a convincing implementation is."

4 of 161 comments (clear)

  1. Easy work-around by richkh · · Score: 5, Informative

    Fixed cache size of 0.

    1. Re:Easy work-around by icebraining · · Score: 5, Informative

      Cache and history are completely different features. 0 cache means you'll have to download the same CSS/JS/image files over and over again for each page on the same website, which is a waste of resources for both you and the server.

      --
      Dilbert RSS feed
  2. Javascript required? by betterunixthanunix · · Score: 5, Informative

    This appears to require Javascript. Thank you, noscript.

    --
    Palm trees and 8
  3. How by farnsworth · · Score: 5, Informative

    This seems to work by loading well-known resources into an iframe and using a heuristic of the "time to load" to tell if it's cached or not. Hence, whether or not you have visited that site. I just scanned the source code, but this is what it looks like. It any case, it's not like this code reveals your history -- just whether or not your browser has visited one in a set of popular sites.

    Yay stateless web.

    --

    There aint no pancake so thin it doesn't have two sides.