FTC Bars Ad Firm From Snooping Browser History 21
itwbennett writes "Score 1 for online privacy. The Federal Trade Commission and online ad firm Epic Marketplace have reached a settlement that will bar Epic from using browser history sniffing technology. According to the news report, 'The history sniffing allowed Epic to determine whether a consumer had visited more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Epic used the tracking to send targeted ads related to several health issues, the FTC said.'"
Needs to be both illegal and impossible (Score:2, Informative)
This is great, but we need security at both ends here: prosecution to remove the economic incentive to invade people's privacy, and software security to increase the difficulty of doing so.
Here are two tests for vulnerability to history sniffing attacks, one CSS based and one based on cache timing:
http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/ [mikeonads.com]
http://lcamtuf.coredump.cx/cachetime/chrome.html [coredump.cx]
Unfortunately it seems Opera (12.11) is still vulnerable to the CSS leak. :(