Why DOES browsers (Fx) allow sites to "see" history_from visited li


Recommended Posts

How / why is it possible for sites / "others" to figure out which sites / links were visited, when Fx is set to change color of visited links? IOW, why is this allowed?

Other than constantly clearing history, is there any way / addon, etc., to allow changing visited links color & NOT give sites access to links visited on OTHER sites?

For a long time, this "problem" was apparently not widely known, as advanced users frequently posted workarounds to force Fx to change visited links color (if they didn't change automatically); such as adding command to userContent.css. Mods read those posts & also apparently weren't aware of privacy side effects (nor was anyone else).

Why would developers allow ANY persistent Fx / other browsers settings that potentially enable sites to see all sites / links users visited (that are still in their history)?

What makes it so difficult for devs to prevent this from happening & why has it taken so long to address the issue?

For many users, if "change visited link color" is effectively disabled, it reduces browser function tremendously, like on sites w/ long lists of articles, etc. Quite a conundrum.

MANY sites / articles discuss this issue. One link from another poster- article by David Baron, Mozilla Corporation: https://hacks.mozilla.org/2010/03/priva ... /#comments

It's been widely known for a while that CSS's ability to style visited links differently from unvisited ones, combined with other Web technology such as JavaScript or simply loading of background images, lets Web pages determine whether a URL is in the user's history very quickly [emphasis added] and without any interaction from the user. This is true in current versions of all major Web browsers. I have a solution that I believe fixes this problem, and therefore helps users keep their history private when they use a Web browser implementing that solution.

Another "reliable" site says: https://hacks.mozilla.org/2010/03/priva ... /#comments

...someone can walk through your history and figure out where you?ve been. And quickly ? some tests show the ability to test 210,000 URLs per minute.
Link to comment
Share on other sites

yeah As Neobond says the website canniot see the data you have access but the browser knows you have so marks it like that with the css

Link to comment
Share on other sites

At first I was gonna ridicule but then I decided to read. This is interesting. Oh well. I suppose that's what you get for using something that is free and managed by nobody. It does suck that this can be done.

Link to comment
Share on other sites

It does suck that this can be done.

how so? so websites can add a little script to be able to see your browsing history, bit woop, it's not like they're able to see your cookies doing this. It's like someone looking at only top part of reciepts in your kitchen drawer, and seeing that you've been to Target an Yonkers but not being able to see what you did/bought there.

I personally don't see the problem

Link to comment
Share on other sites

I didn't know about this privacy issue but it isn't that big of a concern to me. I have nothing to hide in my browsing history. If anyone uses my computer, I wouldn't care if they checked it.

Link to comment
Share on other sites

It is exploitable, but impractical to exploit except on large sites with lots of legitimate links. For example, neowin could track which links users have visited at any time out of the set of links posted on neowin on pages you have loaded.

Link to comment
Share on other sites

They don't see your history. It's all stored locally.

Your browser has hooks that check to see if you've ever visited that page, if it does then it makes the link color different pc side when the page is loaded. If there is an element in the sites CSS to specify which color then it generates the page using that element.

Link to comment
Share on other sites

hmmmm found some info on this

http://sharovatov.wo...-privacy-issue/

Exactly.

Obviously, some replying to this don't understand the real potential for privacy (& possibly security) invasion. It has NOTHING to do w/ someone else using your computer. Read the links & you'll see.

rfirth,

It is exploitable, but impractical to exploit except on large sites with lots of legitimate links. For example, neowin could track which links users have visited at any time out of the set of links posted on neowin on pages you have loaded

According to several tech articles, goes much farther than that. Sites can see EVERY link (then every URL) you've been to, if they're still in history. NOT just links on their own site. Big difference.

Everyone, please try to address the question, if possible (not you rfirth). It's not a "non issue" to millions of users. If it was a non issue, mozilla employees wouldn't have worked on a solution.

Aethec, I read that article. It only says change is coming. So far, I've found nothing official saying it way implemented. You?

We?re not sure what release this will be part of yet and the fixes are still making their way through code review,
Link to comment
Share on other sites

It appears that google has also implemented this "fix" into chrome.

Chrome also lies :)

Link to comment
Share on other sites

Exactly.

Obviously, some replying to this don't understand the real potential for privacy (& possibly security) invasion. It has NOTHING to do w/ someone else using your computer. Read the links & you'll see.

rfirth,

According to several tech articles, goes much farther than that. Sites can see EVERY link (then every URL) you've been to, if they're still in history. NOT just links on their own site. Big difference.

Everyone, please try to address the question, if possible (not you rfirth). It's not a "non issue" to millions of users. If it was a non issue, mozilla employees wouldn't have worked on a solution.

Aethec, I read that article. It only says change is coming. So far, I've found nothing official saying it way implemented. You?

/palm

So tell me, how would I go enabling this on my server. :whistle:

Link to comment
Share on other sites

It may not be an issue to some, but some replying (or many users) aren't thinking this through. It may not be an issue for YOU, but could be a big issue for some. Searching medical info, legal info, if you're in a repressive country & want to look at sites on democracy. Could list a hundred valid concerns for some. Most of you aren't in wheel chairs. Does that mean they should repeal handicapped access laws?

It's like someone looking at only top part of reciepts in your kitchen drawer, and seeing that you've been to Target an Yonkers but not being able to see what you did/bought there.

I personally don't see the problem

Only partly correct. Unless it's been totally patched, sites can see EVERY link on every site you visited. If you're just shopping for clothes, not big issue (still spying). Seeking medical, legal, democracy info - could be BIG deal. That's just tip of the iceberg.

KibosJ, where'd you find that a fix has been implemented in Fx?

Link to comment
Share on other sites

/palm

So tell me, how would I go enabling this on my server. :whistle:

<script src="stealin_infoz"></script>

Have it save the information anyway you want. I think there was some confusion in the original post, this doesn't have anything to do with CSS :visited styling (well... very little to do with that), it's grabbing information using javascript.

Link to comment
Share on other sites

Firefox (as other browsers) had this problem once but then it got fixed (I know it got fixed in firefox but i think it's the same for others). I'm pretty sure because i remember CSS3 selector test had a test case in which he tested the :link/:hover/:visited pseudo-classes being recognized by the browser and soon after the problem was fixed firefox was failing that test. That test case was later removed because the website wasn't able anymore to see how the link was styled after the fix.

edit: see

http://tools.css3.info/selectors-test/test.html

Update June 30th, 2010: The tests for the :visited and :link selectors have been removed from the test-suite. Almost all browsers have made it impossible to detect style changes between a visited and unvisited links due to privacy concerns. This also affects the ability to test these selectors without user interaction.
Link to comment
Share on other sites

Heartripper - yes, I saw that mentioned in the bugzilla report on this original issue (finally found it). https://bugzilla.moz...g.cgi?id=147777 :visited support allows queries into global history

ORIGINALLY reported in 2002 - and though some patches have been implemented, they're STILL discussing it today. TEN YEARS. Much of discussion is over my head, but seems there are still problems - of some type. Maybe some tech gurus could read the latest discussion on bug 147777 (Jun 2012) & translate what supposed unresolved issues still exist on this.

There are new bug reports / discussions about other potential exploits, loosely related to orig. bug 147777.

After they let this thing go on for 8 - 10 yrs, my gut says, if you are concerned about real privacy, better use a good proxy or Tor or some equivalent. Depending on browser(s) devs, that take 8 yrs to fix a problem, to build a product that mostly protects your privacy isn't a good bet.

Link to comment
Share on other sites

Thanks Grinder. Do tell. Aside from fact it took ~ 8 yrs to fix a privacy issue, & (at least) they may have fixed sites being able to read your entire history from changed color on visited links, if you "turn it all off," visited links won't change colors. (assume that's what you meant?) Unless you meant something else, it's really hard to keep up w/ which links I've followed on a large site w/o changing link colors.

Link to comment
Share on other sites

This topic is now closed to further replies.