27 posts in this topic

How / why is it possible for sites / "others" to figure out which sites / links were visited, when Fx is set to change color of visited links? IOW, why is this allowed?

Other than constantly clearing history, is there any way / addon, etc., to allow changing visited links color & NOT give sites access to links visited on OTHER sites?

For a long time, this "problem" was apparently not widely known, as advanced users frequently posted workarounds to force Fx to change visited links color (if they didn't change automatically); such as adding command to userContent.css. Mods read those posts & also apparently weren't aware of privacy side effects (nor was anyone else).

Why would developers allow ANY persistent Fx / other browsers settings that potentially enable sites to see all sites / links users visited (that are still in their history)?

What makes it so difficult for devs to prevent this from happening & why has it taken so long to address the issue?

For many users, if "change visited link color" is effectively disabled, it reduces browser function tremendously, like on sites w/ long lists of articles, etc. Quite a conundrum.

MANY sites / articles discuss this issue. One link from another poster- article by David Baron, Mozilla Corporation: https://hacks.mozilla.org/2010/03/priva ... /#comments

It's been widely known for a while that CSS's ability to style visited links differently from unvisited ones, combined with other Web technology such as JavaScript or simply loading of background images, lets Web pages determine whether a URL is in the user's history very quickly [emphasis added] and without any interaction from the user. This is true in current versions of all major Web browsers. I have a solution that I believe fixes this problem, and therefore helps users keep their history private when they use a Web browser implementing that solution.

Another "reliable" site says: https://hacks.mozilla.org/2010/03/priva ... /#comments

...someone can walk through your history and figure out where you?ve been. And quickly ? some tests show the ability to test 210,000 URLs per minute.

Share this post


Link to post
Share on other sites

Um, the site does not have access to this data, you do. The browser is merely being helpful in showing links that were already visited.

5 people like this

Share this post


Link to post
Share on other sites

yeah As Neobond says the website canniot see the data you have access but the browser knows you have so marks it like that with the css

Share this post


Link to post
Share on other sites

Wrong, Read articles at the links, or tens of dozens of other tech articles. It is a privacy concern / issue.

Share this post


Link to post
Share on other sites

At first I was gonna ridicule but then I decided to read. This is interesting. Oh well. I suppose that's what you get for using something that is free and managed by nobody. It does suck that this can be done.

Share this post


Link to post
Share on other sites

It does suck that this can be done.

how so? so websites can add a little script to be able to see your browsing history, bit woop, it's not like they're able to see your cookies doing this. It's like someone looking at only top part of reciepts in your kitchen drawer, and seeing that you've been to Target an Yonkers but not being able to see what you did/bought there.

I personally don't see the problem

Share this post


Link to post
Share on other sites

what if they can see your have been to a clown porn site and then tell on you :woot: oh no lol

1 person likes this

Share this post


Link to post
Share on other sites

It's a non issue really

Share this post


Link to post
Share on other sites

I didn't know about this privacy issue but it isn't that big of a concern to me. I have nothing to hide in my browsing history. If anyone uses my computer, I wouldn't care if they checked it.

Share this post


Link to post
Share on other sites

It is exploitable, but impractical to exploit except on large sites with lots of legitimate links. For example, neowin could track which links users have visited at any time out of the set of links posted on neowin on pages you have loaded.

Share this post


Link to post
Share on other sites

If you are this concerned about privacy, the internet is not for you lol

Share this post


Link to post
Share on other sites

They don't see your history. It's all stored locally.

Your browser has hooks that check to see if you've ever visited that page, if it does then it makes the link color different pc side when the page is loaded. If there is an element in the sites CSS to specify which color then it generates the page using that element.

Share this post


Link to post
Share on other sites

hmmmm found some info on this

http://sharovatov.wo...-privacy-issue/

Exactly.

Obviously, some replying to this don't understand the real potential for privacy (& possibly security) invasion. It has NOTHING to do w/ someone else using your computer. Read the links & you'll see.

rfirth,

It is exploitable, but impractical to exploit except on large sites with lots of legitimate links. For example, neowin could track which links users have visited at any time out of the set of links posted on neowin on pages you have loaded

According to several tech articles, goes much farther than that. Sites can see EVERY link (then every URL) you've been to, if they're still in history. NOT just links on their own site. Big difference.

Everyone, please try to address the question, if possible (not you rfirth). It's not a "non issue" to millions of users. If it was a non issue, mozilla employees wouldn't have worked on a solution.

Aethec, I read that article. It only says change is coming. So far, I've found nothing official saying it way implemented. You?

We?re not sure what release this will be part of yet and the fixes are still making their way through code review,

Share this post


Link to post
Share on other sites

It appears that google has also implemented this "fix" into chrome.

Chrome also lies :)

Share this post


Link to post
Share on other sites

Exactly.

Obviously, some replying to this don't understand the real potential for privacy (& possibly security) invasion. It has NOTHING to do w/ someone else using your computer. Read the links & you'll see.

rfirth,

According to several tech articles, goes much farther than that. Sites can see EVERY link (then every URL) you've been to, if they're still in history. NOT just links on their own site. Big difference.

Everyone, please try to address the question, if possible (not you rfirth). It's not a "non issue" to millions of users. If it was a non issue, mozilla employees wouldn't have worked on a solution.

Aethec, I read that article. It only says change is coming. So far, I've found nothing official saying it way implemented. You?

/palm

So tell me, how would I go enabling this on my server. :whistle:

Share this post


Link to post
Share on other sites

It may not be an issue to some, but some replying (or many users) aren't thinking this through. It may not be an issue for YOU, but could be a big issue for some. Searching medical info, legal info, if you're in a repressive country & want to look at sites on democracy. Could list a hundred valid concerns for some. Most of you aren't in wheel chairs. Does that mean they should repeal handicapped access laws?

It's like someone looking at only top part of reciepts in your kitchen drawer, and seeing that you've been to Target an Yonkers but not being able to see what you did/bought there.

I personally don't see the problem

Only partly correct. Unless it's been totally patched, sites can see EVERY link on every site you visited. If you're just shopping for clothes, not big issue (still spying). Seeking medical, legal, democracy info - could be BIG deal. That's just tip of the iceberg.

KibosJ, where'd you find that a fix has been implemented in Fx?

Share this post


Link to post
Share on other sites

/palm

So tell me, how would I go enabling this on my server. :whistle:

<script src="stealin_infoz"></script>

Have it save the information anyway you want. I think there was some confusion in the original post, this doesn't have anything to do with CSS :visited styling (well... very little to do with that), it's grabbing information using javascript.

Share this post


Link to post
Share on other sites

Firefox (as other browsers) had this problem once but then it got fixed (I know it got fixed in firefox but i think it's the same for others). I'm pretty sure because i remember CSS3 selector test had a test case in which he tested the :link/:hover/:visited pseudo-classes being recognized by the browser and soon after the problem was fixed firefox was failing that test. That test case was later removed because the website wasn't able anymore to see how the link was styled after the fix.

edit: see

http://tools.css3.info/selectors-test/test.html

Update June 30th, 2010: The tests for the :visited and :link selectors have been removed from the test-suite. Almost all browsers have made it impossible to detect style changes between a visited and unvisited links due to privacy concerns. This also affects the ability to test these selectors without user interaction.

Share this post


Link to post
Share on other sites

Heartripper - yes, I saw that mentioned in the bugzilla report on this original issue (finally found it). https://bugzilla.moz...g.cgi?id=147777 :visited support allows queries into global history

ORIGINALLY reported in 2002 - and though some patches have been implemented, they're STILL discussing it today. TEN YEARS. Much of discussion is over my head, but seems there are still problems - of some type. Maybe some tech gurus could read the latest discussion on bug 147777 (Jun 2012) & translate what supposed unresolved issues still exist on this.

There are new bug reports / discussions about other potential exploits, loosely related to orig. bug 147777.

After they let this thing go on for 8 - 10 yrs, my gut says, if you are concerned about real privacy, better use a good proxy or Tor or some equivalent. Depending on browser(s) devs, that take 8 yrs to fix a problem, to build a product that mostly protects your privacy isn't a good bet.

Share this post


Link to post
Share on other sites

This can all be turned off by the user.

Share this post


Link to post
Share on other sites

Thanks Grinder. Do tell. Aside from fact it took ~ 8 yrs to fix a privacy issue, & (at least) they may have fixed sites being able to read your entire history from changed color on visited links, if you "turn it all off," visited links won't change colors. (assume that's what you meant?) Unless you meant something else, it's really hard to keep up w/ which links I've followed on a large site w/o changing link colors.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.