Your Browser History Is Showing

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

Not mine

[Monoman]

No Script baby

It's slashdotted

[tepples]

Twice in a row, all I get is

Expired

This URL has expired. Please return to the home page.This is likely because of increased load. It shouldn't happen again.

Re:Microsoft actually did something right

[sam0vi]

I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This methodology is actually quite old

[Anonymous Coward]

New about:config setting in FF 3.5:
layout.css.visited_links_enabled [mozilla.org]

If "visited" is a useful feature for you check out SafeHistory [mozilla.org]:

Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites

Known since at least 2006

[ugen]

http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html [blogspot.com]

Of course there is no reason this is still not fixed (by being able to disable a:visited style).

Re:Did not work for me

[radtea]

Eh, noscript has become adware in the last year.

This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net] It pertains to an ugly episode for which the NoScript author is rightfully apologetic.

It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.

Re:...So....

[Goaway]

This has been known for several years, and none of the browsers have done anything to fix it.

Re:Not mine

[gazbo]

No Script may help in this case, but not in general. There was a story here only a couple of weeks back talking about a pure CSS method for doing exactly this.

Re:...So....

[uglyduckling]

Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).

Re:...So....

[vidarh]

Whether or not you can *read* the history of a browser is irrelevant if you want to know whether or not a user has visited a specific site. In that case you can simply create a page that will set appropriate CSS rules to make the browser try to load a specific background image for visited URL's for each site you want to check for. Then when the user loads your page, you'll get a barrage of what you call http pings, and all you need to do is collate that information and you know which of the sites you care about that the user has visited recently.

It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).

workaround in firefox

[denominateur]

in firefox:

  set layout.css.visited_links_enabled to FALSE in about config

This will break (a tiny part of) the layout of sites that use CSS to change the style of links that were visited by the user, but it protects against this problem.

Re:Not mine

[countertrolling]

I third it. I never browse at work.

Re:...So....

[Anonymous Coward]

Then you investigate the DOM to see which is there...

Re:Known since at least 2006

[maxume]

Bugzilla bug 57351 was reported in October of 2000:

https://bugzilla.mozilla.org/show_bug.cgi?id=57351 [mozilla.org]

(Bugzilla may or may not still hate Slashdot, copy and paste if clicking the link does not work).

Re:Microsoft actually did something right

[noirsoldats]

Hate to tell you, this /.'d sites methods are... Extremely overkill.. You can do the same thing without any Javascript at all.. So your little 'No Script' bubble has just been popped. http://www.making-the-web.com/misc/sites-you-visit/nojs/ [making-the-web.com]

Re:Not mine

[ekhben]

Both use the same overall technique, which is that browsers display visited links differently to unvisited links. The JS implementation trawls a set of links looking for particular markers in the font colour or size, and the CSS implementation uses "a:visited {background-image:...}" to trick the browser into telling the server which links are visited and which are not.

The Link Status extension for FF3.5 can disable the :visited pseudo-class, preventing both methods from working.