CSS are watching you
Researchers Artur Janc and Lukasz Olejnik have made public a paper “Feasibility and Real-World Implications of Web Browser History Detection” that describes how a decade old “feature” of Cascading Style Sheets (CSS) allows Web sites to tap the “visited” pseudoclass and read a visitor’s browser history.
They wrote: “We present a web-based system capable of effectively detecting clients’ browsing histories and categorizing detected information. We analyze and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection; for a test of most popular Internet websites we were able to detect, on average, 62 visited locations. We also demonstrate the potential for detecting private data such as zip codes or search queries typed into online forms. Our results confirm the feasibility of conducting attacks on user privacy using CSS-based history detection and demonstrate that such attacks are realizable with minimal resources.”
Mitigation
Janc and Olejnik wrote: “A viable clientside solution was a proposed modication to the algorithm for deciding which links are to be considered visited . . . and implemented in the SafeHistory extension for Mozilla Firefox. Unfortunately, no such protection measures were implemented for other Web browsers, and the SafeHistory plugin is not available for more recent Firefox versions.”
There’s a simple workaround if you don’t mind losing it – turn off browser history.
In Firefox: tools | options | privacy | “Never remember history.”
To check what is in your browser history: History | Show all History:
In Microsoft Internet Explorer
Microsoft offers workarounds in “CSS History Probing, or: ‘I know where you went last week’” including:
“3. Disable Visited Link tracking entirely. This would work, although it would entail a pretty significant user-experience penalty because the user could no longer see what sites had been visited. There’s an unsupported registry key available to IE8 users to disable Visited Links. To do so, create a REG_SZ named Disable Visited Hyperlinks inside HKCUSoftwareMicrosoftInternet ExplorerSettings with the value yes.
At minimum you can set up Internet Explorer to delete your browser history on exit:
Tools | Internet Options | General
There’s a great news story about it in the Register: “Most browsers silently expose intimate viewing habits”
Tom Kelchner