Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Sniffing Browser History with No Javascript (making-the-web.com)
57 points by vaksel on June 12, 2009 | hide | past | favorite | 28 comments


You can protect yourself against this by disabling a:visited. Here's a Firefox plugin that does it intelligently, without breaking the functionality on sites where you actually clicked a link.

http://safehistory.com/


This shouldn't be news, since nothing about the original flaw --- which is years old --- involved Javascript.


All the previous demos I'd seen used JS to observe link colors, so this was news to me.


Also, this exact method (css background) was mentioned last time the js version came up on hacker news. How many more times will this be posted?


I seem to have missed all the previous times it was posted :-(

I am surprised that the browser try to be smart about loading images defined in the CSS.


Great but I would be really interested if someone could demonstrate an application deriving some real world use out of these information. Seen many demos of this browser sniffing but is any one using it for real?


I saw someone made a version of one of those "Share It!" links that only showed ones it sniffed (with others accessible by a one-click menu).


You may have missed the point. Building an application around this would be a mistake, since this is a vulnerability that needs to be fixed. There is no way it can be OK for random site visitors to disclose a profile of other URLs they've visited.


just because it shouldn't be done...doesn't mean people aren't going to use it to make money. and how long have browser people known about this and done nothing? this will be a privacy issue for many years to come.


It's hard to fix without breaking things, so, unfortunately, we're going to have to wait for something very bad to happen before it gets fixed.


I suggested using it for OpenID IDP discovery. e.g. if a site knows that you use Yahoo, it could show you a "log in with Yahoo" button.


it could be useful in targeting ads, i.e. tracking users other website habits to show them much more relevant ads.

Let's say HN has ads. And it sees that you just came from a Python tutorial site. Instead of showing you a random programming book, the ad would show you a series of Python books.


Let's say you're a staffer for a Republican congressman, and I'm an innocuous web page you've visited. Oh, look! You've visited a lot of gay pornography sites! I think I'd like you to start paying me $50 a month now, so I can "protect" you from negative publicity.


Because a Democratic congressman wouldn't have any political problems whatsoever if found to have visited gay porn sites. :)


I didn't give much thought to this example but I think it makes the point OK.


Actually, in targeting, user's short term interests are much more valuable than the long term interests. If a visitor is on HN, you would already know his immediate interests. Knowing that he came from a Python tutorial site, that too you can't say if he is regular there or one and off, would provide marginal value which is hard to justify.


Is there any A/B testing that backs this notion up?


Can work great for competitor analysis as well...


If you're upset about this, wait until you hear about Google Analytics...


It'd be nice if NOSCRIPT could have an option like: "Don't share my browser history with this site". If that option were on, the page just wouldn't have any 'visited' links at all. I could live with that.


There already is a Firefox plugin for that (http://safehistory.com/). NoScript, unsurprisingly, is only for JavaScript.


> It'd be nice if NOSCRIPT could have an option like

'NOSCRIPT' -> 'browsers'


This inspired me to take the concept even further: http://news.ycombinator.com/item?id=655101

This will only work in Opera and Gecko-based browsers.


Isn't the utility of the technique watered down by the fact that the attacker has to precompile a list of addresses? Anything not in that list won't be mined.


Great, so now there's recurring revenue in it for the business that sells subscriptions to targeted lists.


So... this browser thing, actually -is- gathering analytics from anyone who visits it. :P


Apparently it crashes Chrome.


No crash on Chrome 2 here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: