Chrome To Patch Decades-Old 'Browser History Sniffing' Flaw That Let Sites Peek At Your History (theregister.com) 31
Slashdot reader king*jojo shared this article from The Register:
A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.
The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.
This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...
The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.
This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...
Re: (Score:1)
Guava. No, I don't know why either.
Re: If you sniff my browser history (Score:3)
Looks like Google was pulling a Microsoft (Score:4)
Re: (Score:3)
I think they'd be far more satisfied with Google deciding not to kill off third party cookies.
Although ... (Score:2)
I've never been a huge fan of keeping my (complete) browser history around. Since the beginning I cleared it routinely and now browse a lot of sites in Private windows and for those I don't I use containers in Firefox and even then I still clear my history, except for cookies. The only thing in my history is /. in the default container, which I suppose could be in its own container ...
That's what's to be expected... (Score:3)
A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136 [....] The privacy attack [...]
That's what's to be expected from one of the top Privacy Rapists in tech - a known privacy-raping "flaw" ("it's a feature, not a bug") doesn't get "fixed" until they've milked it (and their users) for all its worth.
Re: (Score:2)
Sebby is a rapist
Here ya go [slashdot.org] you easily triggered Meta[stasize]/Alphabet employee.
(yeah, I knew you'd come back - you always do)
Re: (Score:2)
>"That's what's to be expected from one of the top Privacy Rapists in tech - a known privacy-raping "flaw" ("it's a feature, not a bug") doesn't get "fixed" until they've milked it (and their users) for all its worth"
Chrome and privacy are not two concepts that fit well together. Chrome is a closed-source, binary blob (based on a non-community driven, open-source project that Google controls completely) and can do whatever Google wants it to do, and we won't really know for sure. Google has lots and l
Stop truncating browser history... (Score:3)
While we're fixing history problems with Chrome, why not make it stop truncating history at 90 days. Many things in life happen on a yearly cycle. It would be great to be able to see things I was looking at a year ago (holiday gifts, items for a class I'm planning, etc.) as I'm looking for things this year. What a stupid policy.
Re:Stop truncating browser history... (Score:4, Informative)
Re: (Score:2)
I use Brave too and am frustrated by that... I put an extension that exports my history periodically, so at least I'll still have it. History Trends Unlimited.
I wish they could make it a configurable option to turn off the trunctation.
Re: (Score:2)
>"Brave does this timed deletion too."
Brave is another Chrom*, so it shouldn't be too surprising. It looks like Firefox doesn't have any timed deletion setting. It is no limit, or wipe after closing Firefox. Anything else is manual. Seems strange neither offers a simple setting for number of [any amount] of hours or days for auto cleaning by user selection.
A little research turns up this Firefox extension for setting number of days: https://addons.mozilla.org/en-... [mozilla.org]
>" Despite its other flaws, the
Re: (Score:2)
I thought firefox had also moved to chromium.
As for my qualms, they took forever to get tabbed browsing working, and this implementation okay at best. Vsync is busted in firefox and they never had any interest in fixing it. (see: https://www.vsynctester.com/ [vsynctester.com] )
They were too busy fucking around with cuddly red panda stunts to address that stuff, and now the browser has some telemetry, and mozilla is clearly moving into the ad space. It's still my main browser, but that is not a good formula for its future, an
Re: (Score:2)
Re: (Score:2)
>"I thought firefox had also moved to chromium."
Um, hell no. You are thinking of all OTHER browsers (those that are not Firefox [and related] and Safari).
>"they took forever to get tabbed browsing working"
Have no idea what you are talking about. Firefox has had working tabs for much longer than Chrome has existed. Are you talking about ancient history or something?
>"Vsync is busted in firefox and they never had any interest in fixing it. (see: https://www.vsynctester.com/ [vsynctester.com] )"
I just ran that test
Re: (Score:2)
"Have no idea what you are talking about."
I meant tab groups as I said in the follow-up
"I just ran that test in Firefox on Linux and it ran perfectly. Nice solid grey "VSYNC" for as long as I ran it. "
Move the window around.
I never advocated for chrome (and what's the point of using it for comparison when it's the worst one?), and I never said anything about ads, I said it's not a good formula for the future. It's still my main browser
Re: (Score:2)
>"Move the window around."
If I move the window around then yes, the VSYNC flickers a little red/cyan. But I thought the point of the test was the moving video in the background and moving VSYNC word would reveal any real problem. Nothing in the instructions say anything about moving the browser window.
If I load and test Chromium, it behaves the exact same way. I assume Chrome would be identical. No better than Firefox on that test (from what I can tell). So it is a complaint not specific to Firefox,
Re: (Score:2)
Moving the window around depends on your compositor. With KWin it works fine. And Firefox had tab groups long ago. They removed them because they were not used very much but there are quite a few extensions cloning it. Search for "panorama". And this are real tab groups, not the section headers like chrome has.
my android whataboutism (Score:2)
Gotta admin (Score:4, Funny)
Re: (Score:2)
Sigh, "admit".
Gotta admin my comments before I submit them ...
Re: (Score:2)
Yet another reason why I don'y use Chrome...... (Score:2)
Firefox (Score:2)
That's why Firefox shortly flashes the site with links rendered blue before showing the right colors. It basically takes a snapshot of the appearance without visited links.