Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser History Sniffing Is Back

Posted by timothy on from the this-time-it's-interstitial dept.

An anonymous reader writes "Remember CSS history sniffing? The leak is plugged in all major browsers today, but there is some bad news: in a post to the Full Disclosure mailing list, security researchers have showcased a brand new tool to quickly extract your history by probing the cache, instead. The theory isn't new, but a convincing implementation is."

8 of 161 comments (clear)

  1. Not surpisiing by Anonymous Coward · · Score: 1, Insightful

    Browser developers are not doing proper development anymore. They are too busy playing stupid games like hiding http://, removing status bars, inflating the version numbers and breaking your extensions to do things like security or proper memory management.

  2. Re:Javascript required? by danbuter · · Score: 5, Insightful

    NoScript should just be added in as part of default Firefox. It's very easy to manage, and saves me lots of headaches.

  3. Private Browsing mode FTW! by pla · · Score: 3, Insightful

    Subject says it all. I don't worry about cookies, cache, or malicious scripts (other than wastes-of-bandwidth) because every time I open FireFox, it looks shiny and new to the outside world.

    When I visit a "sensitive" site, like my bank, I open a new browser session and close it when I finish. Aside from that, I just don't worry about it, and have never had a problem. Hell, even that great data-mining wizard Google - My home page and probably the single most frequent site I hit - Always defaults me to Georgia (presumably the location of my ISP's HQ), missing by over a thousand miles.

  4. Re:Easy work-around by CastrTroy · · Score: 5, Insightful

    I do this all the time. My history is disabled by default. Cache is 0. I have never really had a need for history in the past 10 years. If I want to find something again, it's faster to just Google it. Or if I find something that I really don't want to lose, I just bookmark it. No reason to keep a history.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Re:Easy work-around by zoloto · · Score: 5, Insightful

    well, if sites would stop using so much garbage for simple content we wouldn't have this problem now would we?

  6. Re:Easy work-around by icebraining · · Score: 5, Insightful

    You might not care, but the guy paying for the server's bandwidth certainly does ;)

    --
    Dilbert RSS feed
  7. Re:You would think so... by icebraining · · Score: 4, Insightful

    The script doesn't actually analyze the cache, just the time it takes to load the resource, so if your proxy's cache is fast enough it might still be detected.

    --
    Dilbert RSS feed
  8. Re:Javascript required? by Arker · · Score: 3, Insightful

    And this wont stop as long as most people are stupid enough to accept browsers that will just run whatever random script some random website hands them. Unfortunately, it's a bit of a chicken and egg problem in that way. If the major browsers would behave sanely, these insanely bad web practices wouldnt work, and the insanely bad 'web designers' that come up with them would have to learn to write real web pages or find another line of work. As is, too many people dont know and dont want to know, and we all pay the price in one way or another.

    I'll keep my noscript and be happy that broken pages actually display as broken for me, so I know to avoid them, rather than having my browser just randomly download and execute whatever crap codes the broken web page needs to make it look like something else.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.