Privacy: sites can see browser history (css, visited)

Discussion of general topics about Mozilla Firefox
Locked
wodow
Posts: 13
Joined: July 4th, 2005, 6:57 am

Privacy: sites can see browser history (css, visited)

Post by wodow »

All,

So, it's possible for websites to effectively query Firefox's viewing history by using :visited in CSS.

Example: http://gemal.dk/browserspy/css.html

Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

Further discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=57351

Isn't this an absolutely <b>huge</b> privacy hole? Shouldn't the world be told?

Bug 147777 has been unresolved for 3 years, primarily due to the complexities discussed toward the bottom of its page.

Thanks,

Wodow
Unarmed
Posts: 4941
Joined: July 31st, 2003, 1:26 pm

Post by Unarmed »

Yes, it's a privacy hole. It's not exactly a huge secret, either. As it currently stands, you can disable your history entirely to avoid it.

Feel free to tell the world -- perhaps we'll see more action on that bug once there are a few malicious implementations out in the wild.
Amos The Amish Astronaut
Posts: 365
Joined: July 31st, 2005, 4:34 pm

Post by Amos The Amish Astronaut »

Does Tools/Options/Privacy/History/ Remember Visited Pages set to 0 days resolve this problem?
cogito haec cogito ergo cogito sum
wodow
Posts: 13
Joined: July 4th, 2005, 6:57 am

Post by wodow »

Certainly removing the history will fix this problem, but isn't that rather a major feature of the browser?

Wodow
Unarmed
Posts: 4941
Joined: July 31st, 2003, 1:26 pm

Post by Unarmed »

Quite. But then, many paranoid people already surf without history, so it wouldn't be a big jump.
BECKER1
Posts: 3
Joined: August 2nd, 2005, 8:50 am

Post by BECKER1 »

hi wodow.i have always disabled history even when i used ie. i even put cach to o and if i need something that i wanted in past i have it on floppy or a tect doc. in the privacy options i have all off.does not hender my work in any way.just another securiy flaw u dont have to worry about. i do turn on history sometimes when looking for drivers etc,but clear it when done heavy searching. there wont be a perfect browser but do what i have to do to keep my privacy.this is still far better than ie flaws.
becker1
wodow
Posts: 13
Joined: July 4th, 2005, 6:57 am

Post by wodow »

It has taken me nearly two years, but I finally found a workaround to the problem in the form of this extension:

http://safehistory.com/

(It looks like SafeHistory has been around at least since Feb 2006 [1] but I was inspired to look today by the coverage that Spyjax [2] has been getting this week.)

[1] http://web.archive.org/web/*/http://safehistory.com/ (<- doesn't linkify properly!)

[2] http://www.merchantos.com/makebeta/tools/spyjax/
Anonymosity
Posts: 8793
Joined: May 7th, 2007, 12:07 pm

Post by Anonymosity »

SafeHistory seems to go a bit too far. It hid the visited link colour from me too! I can see not allowing web servers to determine whether you have visited certain domains, but to hide the visited appearance from the browser's user is overdoing it.

Is there any other way to disable a server from getting that information? Is it possible to find something that can change the code on the page that is fetching that data? I can block that with Proxomitron (web filtering), but that runs only on Windows, and I would like to be able to do that with an Intel Macintosh as well.
zooplah
Posts: 44
Joined: December 31st, 2007, 4:03 pm
Location: West Virginia, United States
Contact:

Re: Privacy: sites can see browser history (css, visited)

Post by zooplah »

I don't see the big problem. So, they see which sites I've visited? Nothing significant, let me tell you. Yes, I've searched for my own name (albeit, it's been a while) and the top hits aren't me. I can only imagine what it would be like for somebody like Joseph Smith.
User avatar
Dartman
Moderator
Posts: 11995
Joined: February 9th, 2006, 9:43 pm

Re: Privacy: sites can see browser history (css, visited)

Post by Dartman »

Please look at the dates of posts/threads before posting to them. It's is pointless to post to threads this old (from 2005).


Closing this thread.
Alcohol and Calculus don't mix. Never drink and derive.
Locked