YouPorn.com ?
I am 12 years old and what is this?
A prominent online marketer that helps websites deliver targeted ads has been exploiting a decade-old browser flaw that leaks the history of websites that users visit, a researcher from Stanford University reported. Epic Marketplace doesn't use the well-documented browser history leak to track specific websites a user has …
I use NoScript to block all javascript by default, and only enable scripts from particular domains as necessary.
Much as I understand that many, many websites need javascript-driven advertising in order to pay their bills, ad providers generally just get blacklisted and silently blocked because it is a terrible, terrible idea to give everyone and their dog javascript execute permissions on your computer.
As for rendering the whole internet unusable... whilst stuff like gmail, youtube, facebook etc all require it, there's plenty of the web that doesn't. Between using IMAP for the former and a decent pub for the latter, I find I cope quite well.
No. Disabling Javascript by default and requiring the user to explicitly allow it for the site would be more akin to requiring car users to have driving licences, if your metaphor wasn't a complete nonsequitur in the first place.
I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place, and because they have a bad track record of security, what with poisoned ads, behavioural tracking et al.
"I use NoScript precisely for this reason and AdBlock because advertisers have no right to be putting anything on my computer without my consent in the first place,"
They're not putting anything on your computer, they are putting it on the web site you are viewing, and the money from this advertising is what keeps web sites going. Do you read newspapers? If so, do you own a tool that rips out every advertisement from the paper before you touch it?
If you don't want to see the advertising, don't visit the web site.
...browsers and HTML have gone way beyond their design parameters and into the territory of unexpected consequences as a result.
But 'we are where we are' and as someone has said scripting drives most of the sites people actually use.
But I do think this breaks the new cookie legislation?
And that is exactly why I'm using NoScript with my browser, see: http://noscript.net
It works on Firefox (which I've stopped using due to the annoying interface chances) and derivatives like SeaMonkey.
IMO an ideal way to browse. At first it blocks everything (javascript, java applets, flash, etc.) and then you can enable stuff. Either temporary or permanently. Its also useful to help you block spamblocks and such, for example by simply allowing stuff from the original website but not from (embedded) sites such as "ads.google.com" (for example).
Sadly 99.9999% of the public will never find out about this, probably wouldn't understand the technicalities and if they did, proabably wouldn't give a monkey's anyway!
People want "shiny stuff", ads maybe slightly annoying but they are a small price to pay to get "shiny stuff". Marketeers are the spawn of Satan himself and should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one! I will set the co-ordinates to the heart of the sun myself to make sure they are removed once and for all!!
"should we ever build our three Arcs ready to ship us off to a better life I will make damn sure anyone who even remotely had a job in marketing or making adverts, is on the first one"
You do remember that after the first arc left the remaining population were wiped out by a rare disease due to unhygienic telephone handsets...
Does this involve years and years of bent coppers at various levels taking bribes?
Does this involve a surprisingly close relationship between someone called Peston and someone he's supposed to be reporting on (rather than partying with)?
Etc.
OK, you can get your coat now.
... this (as in this practice of analysing your online behaviour) could directly affect far more people than the phone hacking.
OK so the credibility of a bunch of journalists and politicians has come into question. In an ideal world it would be nice to think you could believe what you read in the press and that politicians were acting in your best interest.
It would also be nice to think that you could surf the internet without having your browser history being analysed and the sold to advertisers...
I'd say it's in the same category under the circumstances, since the voicemail hacking could be described as exploiting a vulnerability/design flaw. The flaw in this case is institutional bad practice by the mobile operators, by (a) having a default PIN for all accounts, and (b) not really telling anyone. I mean how many people even knew about PIN-based access to their voicemail before this whole business blew up? (And please note, the Reg commentariat cannot be considered representative here.) I've been through 3 operators, and only the latest one prompted me to change my PIN, and only a couple of months ago at that - interesting timing, no?
Just like the browser vendors, they only take action when the problem starts generating widespread bad press. The mobicos deserve a share of the blame in that saga.
Was there such a leaflet? OK, perhaps. The box of my last phone and associated gubbins are long gone, but I'll take your word that this info is normally in there somewhere, but I would put this under the category of (as a delightful customer at my business once put it) "Who reads that stuff?"
Please note I'm talking about the general public here. You must have met some of them, hateful people for the most part (me included in this instance). I'm willing to bet that for the majority of people, voicemail was a service that lives in the handset, and the fact that it could even be accessed from elsewhere would be a revelation to most. Like I said, none of my operators have ever prompted me during on-handset use for a PIN (until a month or two ago). Is this unusual?
This is not a privacy bug built into major browsers. It is how html works and is damned difficult to fix (and despite being told this by numerous people, the Register continues to repeat the lie).
This is silly. The fault does not lie with the browser makers but with the idiots marketing people who are happy to invest so much effort to scam one person in 100,000,
No it isn't. If anything it's how Javascript works, and Javascript for all its retroactive establishment of standards (ECMAscript) is a conceit of the browser vendors. What we have here is yet another example of weaknesses in the implementation: why was it ever allowed for this data [whether a link has been visited] to be readable by scripts that can then relay it back upstream?
Just another XSS vuln when it comes right down to it.
NO. It's not how HTML works, or how JavaScript works, or even how CSS works. It's based on the interaction between those, and thus falls in the realm of (as mentioned above) unintended consequences. And it's definitely NOT cross-site scripting (XSS).
Here's (roughly) how it went down:
Web browsers are built to parse HTML, and the designers say "wouldn't it be nice to color-code links people have already visited, so they don't end up in some sort of loop?" Cool feature, everyone* loves it.
Netscape adds JavaScript, and the developers say "it's expandable by default, just like HTML**, so you can add your own properties to elements and query/manipulate them using JavaScript!" Cool feature, everyone* loves it.
CSS is developed to separate the style from the structure in HTML. The developers say "It even covers meta-properties, like whether or not you've visited a link, and by the way, it's accessible via Javascript!" Cool features, everyone* loves them.
Some programmers put 1+1+1 together and realizes it makes 3: "We can 1) use CSS to set the colors of visited vs not-visited links to known values***, 2) programmatically add a link to a hidden area of the page, then 3) query the CSS color property of that link to determine whether or not someone has visited that link. And JavaScript is fast enough now that we can do it thousands of times per second."
* That's everyone as in everyone the developers listened to, and specifically the people who bought them lunch. There were people who disliked all of these features, but they were curmudgeons who didn't spend money on the right things.
** Yes, HTML IS expandable by default. The specification requires user agents to allow for and ignore elements and attributes that they do not recognize, but to make them available via interfaces like DOM.
*** So one possible workaround (not tested by me) before the vendors plugged this specific hole would be to use a feature like Opera's User Mode style, turning off developer's ability to change the colors of the links, and setting them to the same color value. But that would mean the links could look funny or even be unreadable on some pages.
Steve,your summary of how the exploit works is correct. However, a quick fix for it is for when a script queries the colour of a link, the script always gets the "unfollowed" style, regardless of what colour the user can see. (Or not see, as the exploit is normally carried out in a hidden <div> or <iframe>)