Hot Comments
- Ummm.... well.... (5 points, Insightful) by Le Marteau on Sunday November 08, @10:13AM attached to Microsoft COFEE Leaked
- Re:I don't mean to Troll (5 points, Funny) by mctk on Sunday November 08, @11:54AM attached to Swarm of Giant Jellyfish Capsize 10-Ton Trawler
- Re:Comparison shots didn't persuade me (5 points, Interesting) by tomhudson on Sunday November 08, @06:33PM attached to Startup Claims Google Copied Web-Annotation Product
- Not having seen the app, but (5 points, Insightful) by Anonymous Coward on Sunday November 08, @09:16AM attached to Microsoft COFEE Leaked
- Re:On behalf of rest of the civilized world (5 points, Insightful) by Starlon on Sunday November 08, @08:40AM attached to Landmark Health Insurance Bill Passes House
Comments: 174 +- Your Rights Online: Your Browser History Is Showing on Thursday July 02, @09:03AM
Posted
by
samzenpus
on Thursday July 02, @09:03AM
from the wasted-days-and-wasted-art dept.
from the wasted-days-and-wasted-art dept.
tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."
Related Stories
Bridges (build)
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Microsoft actually did something right (Score:3, Funny)
With its "inprivate" browsing mode in IE8.
Since it doesn't track your history, I'm assuming that it your "inprivate" history can't be "sniffed".
Re: (Score:3, Insightful)
Re:Microsoft actually did something right (Score:5, Informative)
Negative. Visited links are not a different color, and the history is not populated.
Parent
Re: (Score:3, Insightful)
Microsoft actually did something right
You mean like the mode Safari had 4 years ago?
Re:Microsoft actually did something right (Score:5, Informative)
I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!
Parent
Re: (Score:2)
With its "inprivate" browsing mode in IE8. Since it doesn't track your history, I'm assuming that it your "inprivate" history can't be "sniffed".
The same as the Safari "private browsing" mode, I assume.
...So.... (Score:2)
Re:...So.... (Score:5, Insightful)
So, the choice is
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
Somehow, this doesn't seem right...
Parent
Re:...So.... (Score:5, Insightful)
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
How about
3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)
Parent
Re: (Score:3, Informative)
This has been known for several years, and none of the browsers have done anything to fix it.
Re:...So.... (Score:5, Funny)
Parent
Re:...So.... (Score:5, Funny)
I heard they collaborated and made their own.
Please mod: -1, Ewwwww.
Parent
Re: (Score:3, Interesting)
I learned elsewhere in this thread that Firefox 3.5 has finally implemented such a feature, although it might be off by default and hidden (I'm not sure about that, though).
Re:...So.... (Score:4, Insightful)
So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.
I think the point can be explained this way: "who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?" Speaking generally about all user data and all remote IP addresses, all remote hosts are on a need-to-know basis and 99.999% of the time, they don't need to know. They particularly don't need to know without prompting the user and asking "do you want to give out this information?" with that question defaulting to "No" and a box, checked by default, which says "Remember this preference".
You can subtly dismiss it as paranoia if you like. That doesn't excuse poor design. Also, globally disabling the browser history would deny the remote Web site access to the browser's history, sure, but it would also deprive the user of this local feature. There should be a more reasonable alternative to either "lose this feature" or "make this feature available to anyone who asks with no regard for privacy." Apparently NoScript provides such an alternative.
Parent
Re: (Score:2)
who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?
Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.
Sorry but I don't think I fully understand how that relates to this story. Would you elaborate please? What you describe there sounds like a re-implementation of so-called "http ping."
Re:...So.... (Score:5, Informative)
Parent
Re: (Score:3, Insightful)
There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
Sure there is. Have your browser always pull the visited and unvisited styles, then just display the relevant one. Problem solved.
Re: (Score:3, Insightful)
Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
The Web page (HTML, Javascript code, ...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links. The feedback is actually breaking the sandbox principle.
I actually think that the current direction to "the browser is the OS (or even worse, the Flash player in your browser is the OS)" is a security nightmare.
Re:...So.... (Score:4, Informative)
It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).
Parent
black image (Score:5, Funny)
I got a black screen (apparently no history to be shown).
Either the engine is borked, or my privacy add-ins are working properly...
Or possible the Oracle of Browser History has determined that my history is darker than the darkest dark, and refused to show images.
Re: (Score:2)
I also get a dark field in FF and IE.
Not mine (Score:5, Informative)
No Script baby
Re: (Score:2)
No Script baby
I second that emotion. I never browse at work without it.
Re: (Score:2)
I second that emotion. I never browse without it.
Re: (Score:3, Informative)
I third it. I never browse at work.
Re: (Score:3, Funny)
Re:Not mine (Score:5, Informative)
Parent
I checked it out (Score:2)
This methodology is actually quite old (Score:5, Insightful)
This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.
This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.
Re:This methodology is actually quite old (Score:5, Insightful)
Sniffing Browser History Without Javascript [slashdot.org] Some 20 days ago.
Parent
Re:This methodology is actually quite old (Score:4, Informative)
New about:config setting in FF 3.5:
layout.css.visited_links_enabled [mozilla.org]
If "visited" is a useful feature for you check out SafeHistory [mozilla.org]:
Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites
Parent
Re: (Score:2)
Too bad that extension doesn't work for FF3.x
Did not work for me (Score:2)
NoScript (I presume) saves the day again!
Re: (Score:2)
Eh, noscript has become adware in the last year. The reason it keeps updating itself is for ads and to make sure you aren't blocking its own ads, and not for actual updates.
Re: (Score:2)
Are you sure about that?
It seems to work fine and I don't notice any additional ads, and when it does update there almost always seems to be something "new" that has been added.
Re:Did not work for me (Score:4, Informative)
Eh, noscript has become adware in the last year.
This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net] It pertains to an ugly episode for which the NoScript author is rightfully apologetic.
It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.
Parent
Re: (Score:2)
Re: (Score:2)
I went to the sniffing page linked from the summary and it stayed on 0% for 5 minutes so I guess it does not work for me. NoScript (I presume) saves the day again!
Well, yeah. The whole thing is JavaScript powered, so if you're not executing their JavaScript it's going to stay at 0% for a lot longer than 5 minutes ...
This is defnitely not the first time I was glad I use NoScript.
It's slashdotted (Score:4, Informative)
Another security hole (Score:2)
Can we please just have something that doesn't give up our privacy every three seconds? If you like having a browser history or enjoy the benefits of javascript, you're screwed. The only answer is to disable one or both of those.
Re: (Score:2)
Broken or Slashdotted? (Score:2)
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://web2.0collage.com/app/;((%22k%22%20.%20%22(1970%201%2079269687)%22)) [0collage.com]
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin se
Known since at least 2006 (Score:5, Informative)
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html [blogspot.com]
Of course there is no reason this is still not fixed (by being able to disable a:visited style).
wommens (Score:3, Funny)
Quote from the final page of the script:
You can get your web2.0collage as a mug,wommens ...
I can have it as WHAT ? Okay, then can i have my wommens without the /. favicon all over them ?
ooooh! (Score:2)
It's pretty obvious (Score:2)
I am using Firefox 3.0.11 on Ubuntu 9.04 with a T7500 CPU (Core 2 Duo 2.2 GHz).
That site pegged one core of my CPU.
Really? That would be damn obvious, not to mention most people would see the slow down and close the browser.
workaround in firefox (Score:5, Informative)
in firefox:
set layout.css.visited_links_enabled to FALSE in about config
This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.
Re: (Score:2)
This is not a good work around for me. I like being able to tell which links I've already visited. I suspect a lot of people like it too.
Re: (Score:3, Insightful)
This is not a good work around for me. I like being able to tell which links I've already visited. I suspect a lot of people like it too.
Then perhaps a better idea for you is to set a local style for a:visited that includes background, background-image, size, and so on in addition to the text color.
I see London, (Score:5, Funny)
I see you shopping online at Victoria's Secret for underpants...