Mozilla Plugs The CSS History Leak
All web browsers are currently vulnerable to a CSS history leak which enables attackers to test if a particular site was visited by a user in the browser used to connect to the site.
The CSS leak makes use of a feature of CSS that colors visited and non-visited links in a different manner. All the attacker needs to do is to display a huge list of possible sites on a page and check how the link color looks like to see if sites have been visited.
Basically, a huge list of links is added to a page (it can be hidden). The browser uses a different color for visited links, and the script on the site just needs to check which of the links match that color to know that a user went to that site before.
The scripts are currently testing more than 200K URLs per minute which should be enough to create a solid profile of nearly any web user.
Some factors mitigate the problem like clearing the history regularly.
Mozilla developers have now come up with a solution for the problem that applies three changes to the way links are styled in the web browser.
Mozilla Plugs The CSS History Leak
The Mozilla blog has a fairly long article up with technical detailsm as does David Baron whose solution was picked to plug the CSS History leak in the web browser.
The three changes take care of layout-based attacks, timing attacks, and computed style attacks.
- layout-based attacks: Mozilla decided to limit the styling that can be done to visited links.
- timing attacks: eliminates attacks that distinguish visited from unvisited links by measuring the time it takes to resolve those.
- computed style attacks: returns the unvisited style if a script attempts to get the computed style of a link.
It is not yet clear when this will make its way into the Firefox web browser but it is likely that it will be implemented soon.
Users who do not want to wait can protect their computer's from the leak by setting "layout.css.visited_links_enabled option in about:config to false" which has the consequence that no styling for visited links is displayed in the web browser.
Users of all web browsers who want to test what a script could find out about their surfing habits can visit the Start Panic website.
Update:
All modern browsers are protected against these kinds of attacks now.
The website mentioned in the last sentence should not display any sites that you have visited in the past if you are using a modern web browser.
There is no need anymore to restrict the styling of visited links in your web browser, but you can still do so if you want.
This article has a neat workaround for designers: http://www.webdesignfromscratch.com/html-css/getting-around-the-css-history-leak-limitations/
This related article also highlights the concerns being raised:
Most browsers silently expose intimate viewing habits
* Alert
* Print
* Post comment
Zip codes, news articles, free for the taking
http://www.theregister.co.uk/2010/05/20/browser_history_attack/
and gives the url:
http://whattheinternetknowsaboutyou.com/
putting more meat of those data breach bones.
Um, changing the colours will do nothing to fix the issue. It still can be sniffed via the CSS :visited pseudo-class.
Hi Will,
Thanks for help in IE8:)
Now tell me what to do about opera?
Anything I have to change in Opera: Preferences > Web Pages > Normal link color / Visited link color??
You can check this site for more info and some solutions:
http://whattheinternetknowsaboutyou.com/
Hi kingpin,
IE: Internet Options > Appearance (Bottom) > Colors > Visited / Unvisited.
Uncheck “Use Windows colors” if it is checked so you can change the options.
Opera: Preferences > Web Pages > Normal link color / Visited link color
See: http://www.opera.com/support/usingopera/operaini/#vlink
Hope that helps,
Will
Martin,
Where do I set CSS visited links option in IE and Opera?As you can see I am not a firefox user.
I’m not an expert on the topic but you could either change the colors of links and visited links to the same or disable the history in those web browsers. I do not think that they have an option to turn it off completely. I’m not sure on the effectiveness of this though, you may want to ask an expert on the topic or test it at the Panic site to see if they cannot identify the sites you have been on anymore after making the changes.