Your Browser History Is Showing 174
tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."
Re:Microsoft actually did something right (Score:3, Insightful)
This methodology is actually quite old (Score:5, Insightful)
This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.
This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.
Re:Microsoft actually did something right (Score:3, Insightful)
Microsoft actually did something right
You mean like the mode Safari had 4 years ago?
Re:...So.... (Score:5, Insightful)
So, the choice is
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
Somehow, this doesn't seem right...
Re:...So.... (Score:4, Insightful)
So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.
I think the point can be explained this way: "who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?" Speaking generally about all user data and all remote IP addresses, all remote hosts are on a need-to-know basis and 99.999% of the time, they don't need to know. They particularly don't need to know without prompting the user and asking "do you want to give out this information?" with that question defaulting to "No" and a box, checked by default, which says "Remember this preference".
You can subtly dismiss it as paranoia if you like. That doesn't excuse poor design. Also, globally disabling the browser history would deny the remote Web site access to the browser's history, sure, but it would also deprive the user of this local feature. There should be a more reasonable alternative to either "lose this feature" or "make this feature available to anyone who asks with no regard for privacy." Apparently NoScript provides such an alternative.
Re:...So.... (Score:5, Insightful)
1. Allow everyone in the world to sniff my browsing history.
2. give up the ability to see my own browsing history.
How about
3. treat this as a serious security risk and act accordingly (report the bug and use the browser that comes out first with a patch)
Re:This methodology is actually quite old (Score:5, Insightful)
Sniffing Browser History Without Javascript [slashdot.org] Some 20 days ago.
Re:Not mine (Score:1, Insightful)
It can also be done using CSS and then grepping accesslog. NoScript will not help you there.
Re:...So.... (Score:3, Insightful)
There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
Sure there is. Have your browser always pull the visited and unvisited styles, then just display the relevant one. Problem solved.
Re:workaround in firefox (Score:3, Insightful)
This is not a good work around for me. I like being able to tell which links I've already visited. I suspect a lot of people like it too.
Then perhaps a better idea for you is to set a local style for a:visited that includes background, background-image, size, and so on in addition to the text color.
Re:...So.... (Score:3, Insightful)
Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.
The Web page (HTML, Javascript code, ...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links. The feedback is actually breaking the sandbox principle.
I actually think that the current direction to "the browser is the OS (or even worse, the Flash player in your browser is the OS)" is a security nightmare.