Firefox developers say they're close to plugging an information leakage hole that has plagued every major browser for more than a decade. The cascading style sheets history attack makes it easy for web masters to compile vast lists of links visitors have previously viewed. It exploits technology in virtually every browser that …
The audacity of them
"A few sites that use more than color to differentiate visited links may look slightly broken at first while they adjust to these changes"
Or to translate that into English, "We're going to break some websites until the people running them change their design to suit us."
bugs.debian.org would be affected: it uses bold text for unvisited links and normal text for visited links.
"They've done stuff in a non-standard, implementation-dependent way so now they'll have to redo it because we change the implementation to fix a security hole". There, fixed that for you.
Just use Opera...
No need for stupid bloaty add-ons...
Once more, for the record ...
Or you could just chop off your testicles
And only reattach them for the women you want to have sexual intercourse with.
No need for your danglies to be weighing you down all the time...
Just use NoScript
What you describe is basically how NoScript works, Forbid globally, then whitelist either temporarily or permanently as needed. No bloat, and works really well in combination with AdBlock Plus and FlashBlock.
Why is it that no matter what the issue, some commentard invariably pops up with the admonishment that we "just use Opera"? I've tried it once or twice, and was disappointed with its ability to extinguish the crust of wiggling, flashing, bouncing advertising -- or, if you insist, the "enhanced browsing experience".
I'd actually buy that if it existed and worked - instead of having a huge variety of sex toys, you could just simplify and have a huge variety of interchangeable bits instead.
Re: Once more, for the record
Opera is NOT affected...
At least not 10.52..
Yeah, Microsoft would never do that. How audacious of Mozilla to at least attempt to fix a 10 year old issue.
Has it occurred to you guys yet that since you see it as a given that everything MS does and is is shit, saying Mozilla and Firefox (or Open Gffice, Linux, BSD. whatever,) is better by comparison really means a whole lot of bugger all?
Most Open-Source supporters don't automatically assume everything M$ does is shit. We very carefully and throughout examined the issue before coming to the conclusion that everything M$ does is shit :)
Seriously though, not everything M$ does is bad. I for one am a fan of C# and Direct3D.
And Office is good to, although I'm not really willing to pay all that money for it when there are perfectly good alternatives available for free. I won't argue they are better, but they do all that I, and probably something like 99% of Office users, really need.
And I won't even start on Windows. That is a subject you can debate (or rather; yell nonsensical insults at each other) for years... And we have. - I will say this though; Windows 7 is extremely good compared to it's predecessors. In my experience, at least. (I won't pretend to be an expert on the inner workings of any version of Windows.)
What I would like of software developers nowadays
Is to be less clever for once. For god sake, put a bloody switch on the configuration named: "disable colored history markings on links" plus a note underneath saying:
"this does blah blah blah, while we fix the problem with a much more clever solution (not recommended)"
That way I could have been browsing for 9 years without being tracked.
But what can I say, software development nowadays (open source or not) is like modern Hollywood flicks, an excuse to make something shiny, not good.
Get a grip
"Many proposed fixes threatened to bring browsers to a crawl or prevent users from knowing whether they had previously visited a website, trade-offs Mozilla, Microsoft and other browser makers have largely considered unacceptable."
However the "visited" history feature is not that crucial a feature in the first place. It could easily be reset across browsing sessions without impacting general user experience, or it could be disabled across domains, or it could be disabled entirely.
Many of us configure to browser to clear history automatically anyways, so nothing lost.
Since they're determined to retain the feature, then I guess changing the color only is an acceptable compromise.
… does, as you seem to be saying, need to be more fine-grained. There are certain sites for which I *want* to keep history across browsing sessions, then there's everywhere else where either I would prefer to throw away the history (or not record it in the first place) or it doesn't matter.
Manual selective clearing is possible, but people are lazy.
The mouthbreathing fatbeards on the Mozilla team can't even contrive it so bookmarks autosort like every other browser in the world, which makes me doubt their capabilities when it comes to real bugs.
Why on Earth would I want my Bookmarks to re-arrange themselves? I put them in a specific order and I'd like them to remain like that thank you very much!
@AC:"so bookmarks autosort like every other browser"
There is no need for you to be insulting over something so trivial. For a start:
(1) I don't want my bookmarks autosorted. I want them where *I put* them. I.e. I am in control, not someone else *dictating* over me what I should do. (The one thing I would really like is being able to set a colour for each bookmark and folder, to allow me to quickly visually scan long lists, as I like to sort by subject rather than by name). My point is, there are smarter ways to sort a list than simply by name, and often its a personal preference how best to sort the list, something hard to code for every possible way, so freedom for users is important to let the users choose how best to do something. (We are controlled enough in our lives as it is, (and its getting worse all the time), so the last thing we need is yet more rules imposed on us all).
(2) If you absolutely cannot live without sorted bookmarks, you open the Organise Bookmarks menu item, then right click on a folder, and select "Sort By Name". Then hey presto, just like magic, its sorted.
Just to vote on the "bookmark autosorting" feature.... I don't want this feature either. I prefer to put frequently accessed items on the top.
And there is no need to act like a jackass.
I've just had to disable it for El Reg, something wasn't finishing loading properly so the whole site was behaving badly. Links would no be clicked on etc.
Now I've disabled it, after trying blocking adverts first, it seems to be behaving.
That fixed it for me too. Cheers!
For example, theregister.com web developers could test whether cnet.com was in your browser history.
Wouldn't it just be easier...
These are not so much bugs, but inherent weaknesses in the script design itself, and perhaps better than messing with the visited link functionality would be to simply look at these weaknesses, then implement a proper set of options where the user can slam the door on them. I view my history with Ctrl-Sh-H, I don't need script to do it.
Mozilla, fix the real problem please...
Re: Wouldn't it just be easier...
I guess you didn't actually understand what the issue is. Scripts can't actually access the history.
But this is such a trivial disclosure. You'd have to go to a page with this script, and this big list of links. I'm pretty sure the big list of links would have actually displayed, though they could be white-on-white, and nearly invisible. And my entire browsing history is only known, if you could guess which sites I might have went too. There are tens of millions of websites in the world.
Of course, the scope of this tracking is limited to specifically looking for individual URLs and checking "have you visited paypal.com" rather than trawling ALL your history. So no need to worry that someone will discover you were looking at fatgranniesonline.com or whatever.
Ok, so that doesn't mean it's safe, it just means it can only be used for very specifically targetted attacks. So how to fix it?
The "simple" answer might be to only return CSS properties (such as element width) for the link based on their standard properties and NOT what is defined for A:visited. Sounds great, but it won't work. You could put that link element in a fixed-width container with another variable-sized element, and then measure the change in that second element to deduce the width of the first (and therefore whether it's being shown as :visited or not).
that's exactly what they did
What we need is a Seal of Good Web Design
I always love when I hit a white page with one setence that basically says "click here to navigate without ..." and I am able to very quickly and easily do what I want without a bunch of expanding and collapsing context menus or waiting for a series of cascading combo menus to load up lists of 75K different OS and product options.
And a mandatory "Crappy Web Design" logo for any site that doesn't comply.
In another part, I use scripting to determine whether to display romaji using circumflex accents (like "ô") or proper caron accents (like "ō" (if you can see that)). At the moment, I make many assumptions based upon the type of browser. It would be a hell of a lot simpler to ask "does this machine support Unicode?" but I have not figured out how (suggestions welcome!). Anyway, what you get shown depends upon what the script determines your capabilities to be. Oh, and there is <noscript> to, that reverts to circumflex behaviour to be more compatible with old systems that don't have script (or Unicode) rather than newer systems with script blocking...
Re: Excellent idea!
That's quite easy to implement too.
Simply replace the jscript engine and the flash plugin with something that drops your "Crappy Web Design" logo prominently onto the page when either is invoked.
Crappy Web Design award
Pass the suggestion to 'Web Pages that Suck' (http://www.webpagesthatsuck.com/)?
just set tools/options/privacy to not store browser history and clear private data on exit as can be done with flock?
also maybe run index.dat suite to clear out the .dat files and browser history independent of the browser?
Having updated to Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100307 Mandriva Linux/1.9.2-0.1mdv2010.0 (2010.0) Firefox/3.6, visited links on the Register will not show up in a different way at all.
On an other PC with a slightly older version of Firefox there is no problem.
I hope this "problem" will be fixed, eventually.
All proposed solutions including NoScript fail to block the simplest of CSS-history leaks; That of specifying a unique background URL for :visited links. Then simply check which of the URLs have been requested. It also escapes attention by not sending the results back by XmlHttpRequest.
Even by rendering first with links in the unvisited state then rendering a second time does nothing to stop the leak and nearly halves browsing speed.
A more reasonable compromise was to restrict the visited status by a same-origin policy. It was downloadable from safehistory.com but sadly it's unmaintained and incompatible with modern browser versions. Also there still remained the chance of history sniffing as part of an XSS attack - albeit slightly reduced.
The only way to plug the leak is to turn off layout.css.visited_links_enabled for good.
A solution at last:
Nice and simple.
layout.css.visited_links_enabled = false
I do not miss the color change at all.
I wish there was a GUI element somewhere to disable this, but for now it will do.
Looking forward to seeing
the responses from Google, Microsoft, and Opera. But why not ask Apple as well ?...
This works extremely well for Seamonkey 1 & 2 and Firefox. It also reduces the memory usage to a low enough level to allow up to 7 days of open window (No JS) operation on Linux and the same on Windows (if Windows doesn't crash.)
Ignorence is bliss
Once the prefered search engine has been identified, the URL to be tested can be generated dynamically to include a list of rubrics ... eg car loans, jobs, Pr0N, Paris Hilton etc Then when a 'hit' is detected backtracking to that particular URLs sitemap gives another set of specific links to check. Make no mistake, mature versions of this exploit do not stumble blindly, they are hunting.
We know of at least one car dealership and several office supplies outlets that use this exploit to 'provide a more personal user experience' which invarialbly means hiking the price up if the visitor has not seen the cheaper one on a competitors web site and offering a free cuddly toy if they have.
mmmmh titles, drool
A nice implementation of the hack is at: http://didyouwatchporn.com/
Not a bug, but a feature.
Pretty much every site I am aware of, and almost every commercial site I've worked on over the last 14 years uses the :visited selectors for specifying colours, background-images, underlines, etc. as part of the site design and to improve usability. As a developer, I wouldn't consider using something that does not conform to the standards. Web developers have used this for years because it's part of the CSS spec and thus considered safe.
And now Mozilla are seriously considering breaking widely used functionality and moving away from the standard, because they want to pander to a few paranoid beardies in sandals who wouldn't know usability and design if it bit them in the arse. Why, thank you very much.
I consider myself to be reasonably security conscious, but I find it hard to see what exactly the security issue is.
From what I understand, the only way this "bug" (and I use the term in the loosest possible sense) can be exploited is when the "attacking site" has a link to *exactly* the URL in its HTML / JS that the visitor has been to before. This means that the "attacking" site can't ask the browser to give up the history, but it has to ask whether it has been to URL xyz.
I would suggest that anybody worried about this has more pressing issues than keeping their browser history private.
BTW, @grumpy: "Site developers have done stuff according to the CSS specification, and now Mozilla is thinking about ignoring web standards so that everybody has to fix their style sheets in order to placate a handful of paranoids." There, fixed that for you.
heh, so many techies defending Browsing Lives Open To All
you use a car. it turns out that the manufacturers - or the petrol station or, indeed, anyone in the car biz - can now discover whether you've been to any particular place, and whether you were going a certain speed. (Not Plod: anyone who sees you.)
you use an oven. it turns out that the manufacturers (and anyone else involved in the world of cooking) can now discover whether you've been cooking chicken, or hash cakes, or anything else they ask about...
you use a browser. it turns out that any website that cares to ask can find out whether you've been to www.revolutioninchina.com, or to any other site they want to ask about...
how lovely that a few of you clueless techies think that because you personally can find a way round this, then it isn't a problem.
you worthless, clueless people.
you are the problem.
"You're a loony" - Graham Chapman, 1975
People knowing where you've been driving is only a problem if you weren't driving on the public highway in full view of everyone else at the time.
You worthless, clueless tin-foil hatters.
Next they'll be inventing a mode that hides all the pr0n you browse by leaving no trace of it in your history. Oh hang on a minute...
Anyone in favour of the Pr0n modes of all the browsers dropping support for a:visited etc, please give a thumbs up on this message. I rate it as two thumbs fresh, myself.
Solved for sites that include third-party code
The Caja project addresses this problem for websites that want to include third-party HTML without allowing JS in it to sniff history or do other nasty things. It uses a similar method -- limit how fancy styles can get for :visited (nothing that changes layout), and then present the unvisited styles whenever JS tries to observe computed CSS.
Sits over there in the corner mumbling to itself.
At Netscape 4.72 they could store your browsing history.
Stuck with 4.6 because of that.
Endured websites that broke W3 just because they could (Would have been fired where I worked but then a f**k lot of programmers should be eating at soup lines.)
Is no longer repeating itself.
It is back.
and it is mad.
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Mexican Cobalt-60 robbers are DEAD MEN, say authorities
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL
- Submerged Navy submarine successfully launches drone from missile tubes
- Pix Astroboffins spot HOT, YOUNG GIANT where she doesn't belong