All web browsers are currently vulnerable to a CSS history leak which enables attackers to test if a particular site was visited by a user in the browser used to connect to the site.
The CSS leak makes use of a feature of CSS that colors visited and non-visited links in a different manner. All the attacker needs to do is to display a huge list of possible sites on a page and check how the link color looks like to see if sites have been visited.
Basically, a huge list of links is added to a page (it can be hidden). The browser uses a different color for visited links, and the script on the site just needs to check which of the links match that color to know that a user went to that site before.
The scripts are currently testing more than 200K URLs per minute which should be enough to create a solid profile of nearly any web user.
Some factors mitigate the problem like clearing the history regularly.
Mozilla developers have now come up with a solution for the problem that applies three changes to the way links are styled in the web browser.
The three changes take care of layout-based attacks, timing attacks, and computed style attacks.
It is not yet clear when this will make its way into the Firefox web browser but it is likely that it will be implemented soon.
Users who do not want to wait can protect their computer's from the leak by setting "layout.css.visited_links_enabled option in about:config to false" which has the consequence that no styling for visited links is displayed in the web browser.
Users of all web browsers who want to test what a script could find out about their surfing habits can visit the Start Panic website.
All modern browsers are protected against these kinds of attacks now.
The website mentioned in the last sentence should not display any sites that you have visited in the past if you are using a modern web browser.
There is no need anymore to restrict the styling of visited links in your web browser, but you can still do so if you want.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.