Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Privacy The Internet Your Rights Online

History Sniffing In the Wild 96

An anonymous reader writes "Kashmir Hill at Forbes documents a recent study by UCSD researchers showing that 'history sniffing' is being actively used by mainstream ad networks like Interclick as well as popular porn sites like YouPorn in order to track what other sites you visit. The vulnerability has been known for almost a decade, but this paper documents hundreds of commercial sites exploiting it today (PDF)."
This discussion has been archived. No new comments can be posted.

History Sniffing In the Wild

Comments Filter:
  • Javascript... (Score:5, Insightful)

    by betterunixthanunix ( 980855 ) on Friday December 03, 2010 @11:35AM (#34431254)
    If I gave you some random code, did not tell you what exactly it did but asked you to run it, would you run it? That is basically what is happening when you browse with Javascript enabled -- you are allowing websites to run essentially arbitrary code on your computer.
  • by Anonymous Coward on Friday December 03, 2010 @11:57AM (#34431542)

    If you're trying to explain how all these kinds of things work, you need to be more precise. And I say precise not to please geeks, but to help the layman audience understand what is really important.

    A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,”

    This should have been written as "a script stored on the site and offered to the browser, which the browser elects to download and run, runs on your computer and exploits a privacy leak..."

    It's not that summarizing it as "a script on the site" is wrong; it's technically correct in a pedantic[*] way, to say the script is on the site, since that does happen to be where it's stored. But we're not ever going to have a technically literate and informed public OR LEGISLATORS (and they are getting mentioned in this article; their knowledge or lack thereof is critical since they're threatening to pass laws related to this topic) if we continue to leave out the most important and fundamental aspect of how most privacy leaks happen.

    The same goes for the mention of cookies.

    The FTC has proposed the creation of a Do Not Track option for Web surfers, which would regulate history sniffing as well as ad networks placing cookies on your computer to keep track of you.

    Never in the history of the web, has any network placed a cookie on someone's computer. Just as above, that is a seemingly-convenient shorthand, but it actually obfuscates the truth to such an immense degree that anyone who tries to make decisions (I'm looking at you, lawmakers) will totally get all their policies wrong.

    Servers offer cookies. User agents place cookies on people's computers, completely voluntarily.

    [*] Pedantic. It might sound like I'm being the pedantic one here, but the essence of pedantry is to focus on irrelevant truths, such as defending the truth of a statement that a script is "on a site" because the master copy happens to be stored on the site. Such truths are a deception, because a script on a site has very little power. It's only when other computers choose to get and run that script, that the script starts to really do things.

    What I'm getting at is that for these client-side problems, we need to present and think about them as client-side problems.

No problem is so large it can't be fit in somewhere.