All web browsers are currently having a CSS history privacy leak which enables attackers to brute force a list of sites that the user visited on the Internet. The CSS leak makes use of a function in CSS that colors visited and not visited links differently. All the attacker needs to do is to display a huge list of possible sites in the user’s web browser and check how their link color looks like to see if it has been visited.
The scripts are currently able to test more than 200K URLs per minute which should be enough to create a solid profile of nearly any web user.
Some factors mitigate the problem like clearing the history regularly.
The Mozilla developers have now come up with a solution for the problem that applies three changes to the way links are styled in the web browser.
The Mozilla blog has a fairly long article up with technical details as does David Baron whose solution was picked to plug the CSS History leak in the web browser.
It is not yet clear when this will make its way into the Firefox web browser but it is likely that it will be implemented soon.
Users who do not want to wait can protect their computer’s from the leak by setting “layout.css.visited_links_enabled option in about:config to false” which however has the consequence that no visited styling is displayed whatsoever in the web browser.
Users of all web browsers who want to test what a script could find out about their surfing habits can visit the Start Panic website
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
History Deleter, Firefox History Auto Deletion rulesGoogle Chrome History Manager
Display Firefox Browsing History With History Tree
Pop-up History For Chrome, Display Browsing History In A Popup
Tab History Redux, Makes Child Tabs Inherit A Tab’s History
Martin,
Where do I set CSS visited links option in IE and Opera?As you can see I am not a firefox user.
I’m not an expert on the topic but you could either change the colors of links and visited links to the same or disable the history in those web browsers. I do not think that they have an option to turn it off completely. I’m not sure on the effectiveness of this though, you may want to ask an expert on the topic or test it at the Panic site to see if they cannot identify the sites you have been on anymore after making the changes.
Hi kingpin,
IE: Internet Options > Appearance (Bottom) > Colors > Visited / Unvisited.
Uncheck “Use Windows colors” if it is checked so you can change the options.
Opera: Preferences > Web Pages > Normal link color / Visited link color
See: http://www.opera.com/support/usingopera/operaini/#vlink
Hope that helps,
Will
You can check this site for more info and some solutions:
http://whattheinternetknowsaboutyou.com/
Hi Will,
Thanks for help in IE8:)
Now tell me what to do about opera?
Anything I have to change in Opera: Preferences > Web Pages > Normal link color / Visited link color??
Um, changing the colours will do nothing to fix the issue. It still can be sniffed via the CSS :visited pseudo-class.
This related article also highlights the concerns being raised:
Most browsers silently expose intimate viewing habits
* Alert
* Print
* Post comment
Zip codes, news articles, free for the taking
http://www.theregister.co.uk/2010/05/20/browser_history_attack/
and gives the url:
http://whattheinternetknowsaboutyou.com/
putting more meat of those data breach bones.
This article has a neat workaround for designers: http://www.webdesignfromscratch.com/html-css/getting-around-the-css-history-leak-limitations/