Wednesday, September 23, 2009

What the Internet Knows About You

The other day I had a sobering, scary experience in realizing how not private my browsing history is. Go ahead, try it for yourself by browsing to and come back here. (Don’t worry, this is not a hacking site – I would never endanger you or your data).

Within 3 seconds, you’ll see all the (major) sites in your browser’s history cache: where do you bank, what credit card do you use, what were your last search queries on Google or Yahoo, which government sites you visited… the list goes on and on.

This site’s sole purpose is to call attention to a security hole that exists in all browsers today, that allows sites indirect view of your browser’s history.

At the base of this hole lies a common browser behavior called “visited link”. As you no doubt know, many sites color links you’ve already visited in a different color that the other links – to remind you where you’ve visited already. Even if the site’s developer neglected to provide such behavior for his web page, your browser will take care of it automatically, as can be seen in this Firefox color setting dialog:

Developers can specify this behavior by adding an attribute to a page’s style sheet, like this:

a:visited { color: red; }

Now, when a browser renders the page, for each link it encounters, it checks the history to see if it exists (in other words, visited already), and if so, colors the link by the color specified.

The problem is: the browser allows any site to color any other site’s link as visited (in other words, may have a link to Yahoo on its page, and if it’s colored – know that I’ve been visiting Yahoo). Do you see where this is going?

All I have to do on my page is add a link, let’s say to, and ask the browser which color it intends to render it in. If red, I know for sure you’ve visited If I keep that link invisible, you won’t even know I did it. Now all I have to do is repeat on a global scale: have a pre-prepared list of site addresses, add them dynamically to the page, and ask the browser which colors will they appear in – and thus build a list of sites you’ve visited. Here’s a simple piece of code that might do that:

var url_array = new Array('', '');
var visited_array = new Array();
var link_el = document.createElement('a');
var computed_style = document.defaultView.getComputedStyle(link_el, "");
for (var i = 0; i < url_array.length; i++) {
link_el.href = array[i];
if (computed_style.getPropertyValue("color") == 'rgb(255, 0, 0)') {
// The color was red, so the link was visited

If you’re interested in understanding how ingenious and insidious is this code, visit this page.

So, how can you protect yourself from this gaping hole in your browser’s security? There are several ways that the site reviews, I’ll cover the 2 easiest methods:

  1. Disable scripts on web pages, either through the browser’s settings, or using an extension like NoScript – the side effect, of course, is that all dynamic activity on the page ceases – that includes menus, Ajax updates, smart controls etc. In today’s Web 2.0 sites, this solution will cripple your browsing.

  2. using the Stanford SafeHistory extension for Firefox – it basically allows every site to use the visited behavior only on links that came from the same site. The problem is that this is a Firefox-only solution, and that current versions of FF do not support it*. This adds the following setting to Firefox's privacy tab:
    Browsing to after installing the extension yielded the following message:
    Congratulations, we did not find anything in this category in your browser history.
  3. But of course, the real solution is to have our browsers’ developers (Microsoft, Mozilla, Google, Opera, Apple) fix this huge hole in their applications’ security. Go ahead – write to your favorite provider.
And until a permanent solution arrives – beware and be aware.

*A solution to the extension's compatibility with newer Firefox versions (for professionals only! You have to know what you’re doing):

  1. Open Firefox and type about:config in your address bar

  2. Ignore message and click the “I’ll be careful, I promise” button

  3. Right click in the list of keys, and select New>Boolean

  4. Enter extensions.checkCompatibility as the preference name

  5. Enter false as the preference value

  6. Close the tab and Restart your browser

  7. Your browser will stop checking extension compatibility from now on. You can run any extension on your FF, as long as it doesn’t do anything your version does not support. You can turn this key to ‘true’, or delete it altogether, to re-enable version checking (just don’t forget to restart the browser after changing any preference).

No comments: