Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser History Sniffing Is Back

Posted by timothy on from the this-time-it's-interstitial dept.

An anonymous reader writes "Remember CSS history sniffing? The leak is plugged in all major browsers today, but there is some bad news: in a post to the Full Disclosure mailing list, security researchers have showcased a brand new tool to quickly extract your history by probing the cache, instead. The theory isn't new, but a convincing implementation is."

10 of 161 comments (clear)

  1. Easy work-around by richkh · · Score: 5, Informative

    Fixed cache size of 0.

    1. Re:Easy work-around by CastrTroy · · Score: 5, Insightful

      I do this all the time. My history is disabled by default. Cache is 0. I have never really had a need for history in the past 10 years. If I want to find something again, it's faster to just Google it. Or if I find something that I really don't want to lose, I just bookmark it. No reason to keep a history.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Easy work-around by icebraining · · Score: 5, Informative

      Cache and history are completely different features. 0 cache means you'll have to download the same CSS/JS/image files over and over again for each page on the same website, which is a waste of resources for both you and the server.

      --
      Dilbert RSS feed
    3. Re:Easy work-around by zoloto · · Score: 5, Insightful

      well, if sites would stop using so much garbage for simple content we wouldn't have this problem now would we?

    4. Re:Easy work-around by icebraining · · Score: 5, Insightful

      You might not care, but the guy paying for the server's bandwidth certainly does ;)

      --
      Dilbert RSS feed
  2. Javascript required? by betterunixthanunix · · Score: 5, Informative

    This appears to require Javascript. Thank you, noscript.

    --
    Palm trees and 8
    1. Re:Javascript required? by danbuter · · Score: 5, Insightful

      NoScript should just be added in as part of default Firefox. It's very easy to manage, and saves me lots of headaches.

  3. How by farnsworth · · Score: 5, Informative

    This seems to work by loading well-known resources into an iframe and using a heuristic of the "time to load" to tell if it's cached or not. Hence, whether or not you have visited that site. I just scanned the source code, but this is what it looks like. It any case, it's not like this code reveals your history -- just whether or not your browser has visited one in a set of popular sites.

    Yay stateless web.

    --

    There aint no pancake so thin it doesn't have two sides.

  4. Re:jacked or tracked: it's your choice by CapOblivious2010 · · Score: 5, Interesting

    I've only gotten one internet virus in my life - via the "executable GIF" exploit, from visiting NVIDIA.COM !!!

    If you think "reputable" means "safe", YOU'RE a few cards short of a full deck!

  5. Better have good gag reflexes by axlr8or · · Score: 5, Funny

    Cuz if they wanna sniff my browser history they are in for a surprise.