History Sniffing In the Wild 96
An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."
Re:Plug the leak in Firefox (Score:5, Interesting)
A simple fix (Score:4, Interesting)
Re:Javascript... (Score:4, Interesting)
And HTML differs from Javascript how? Or how about an image?
Neither HTML or JPEG files are Turing-complete programming languages. Sure, your HTML or JPEG parser might have bugs that allow remote exploits, but that's a huge difference from a language like Javascript which can trivially perform these kind of operations. _by design_
Use multiple browsers (Score:4, Interesting)
My recommendation is to use multiple browsers.
Say you use Firefox for your web searches.
Then run Facebook on Safari (say)
Anything google on Opera.
Any porn on Chrome.
Etc.
There are a bunch of broswers out there - use them to silo off the nosey actors like Facebook, Google and Youporn.
Re:Javascript... (Score:4, Interesting)
No. It can’t. It has a sandbox that it plays in. If JS code breaks out of that, it’s a bug. It’s nothing more than ones and zeros arranged in a semi-human-readable fashion that tells an interpreter what to do. You are an interpreter too, but if I told you to go kill yourself, you wouldn’t. Same thing.
Duh, we're not talking about remote exploits running arbitrary machine code on your system. We're talking about Javascript being a privacy-stealing monster _BY DESIGN_.
Re:YouPorn script (Score:4, Interesting)
What about Firefox hidden history data?
Looking at the information under Troubleshooting Information in the Firefox help menu, there's an entry beyond the expected "browser.history_expire_days", "browser.history_expire_days.mirror" that defaults to 180!
How secure is that??
Note that entering "about:config" in the address bar allows editing the config settings.