×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

76% of Web Users Affected By Browser History Stealing

CmdrTaco posted more than 3 years ago | from the seems-like-it-should-be-more dept.

Firefox 130

An anonymous reader writes "Web browser history detection with the CSS:visited trick has been known for the last ten years, but recently published research suggests that the problem is bigger than previously thought. A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites. Newer browsers such as Safari and Chrome were even more affected, with 82% and 94% of users vulnerable. An average of 63 visited locations were detected per user, and for the top 10% of users the tests found over 150 visited sites. The website has a summary of the findings; the full paper (PDF) is available as well."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

130 comments

If you didn't want your browser history detected.. (1)

NickLarsen (1771130) | more than 3 years ago | (#32265344)

You shouldn't have been browsing the internet. But I am curious... how is this information used maliciously, excluding advertising?

Re:If you didn't want your browser history detecte (3, Insightful)

digitalsushi (137809) | more than 3 years ago | (#32265412)

Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.

Re:If you didn't want your browser history detecte (2, Insightful)

commodoresloat (172735) | more than 3 years ago | (#32266358)

who the hell reads "joke of the day" emails?

Re:If you didn't want your browser history detecte (1)

gorzek (647352) | more than 3 years ago | (#32267740)

who the hell reads "joke of the day" emails?

More people than read Slashdot.

Re:If you didn't want your browser history detecte (1)

denis-The-menace (471988) | more than 3 years ago | (#32265444)

They give your PC a cookie and then they can see by your history how old you are, your favorite porn sites, if you're gay, etc.

Then they sell that info to advertisers and their ilk.

Re:If you didn't want your browser history detecte (3, Informative)

Anonymous Coward | more than 3 years ago | (#32265618)

No need for cookies, you just use javascript and CSS.

I actually implemented a history sniffer for an online advertising company a few years ago; we were using it as an additional selling point for potential advertisers, as in "We can tell you what percentage of your visitors have visited your rivals' landing pages".

Worth remembering you can only test against a list of exact urls that you're interested in, you can't just go browsing through a visitor's history. In other words, if I wanted to know how many pages you'd read on Slashdot, I'd need to test against every single possible URL.

Realistically that's pretty useless - I'd try to sell Ars Technica a solution that told them how many of their visitors have been to http://slashdot.org/ [slashdot.org]. The obvious issue here is that neither I nor Ars Technica would need to get permission for this from either Slashdot or you; at the very least my product would need to give you an option to opt out.

Re:If you didn't want your browser history detecte (1)

wjousts (1529427) | more than 3 years ago | (#32268010)

No need for cookies, you just use javascript and CSS.

No need for JavaScript either. You can do it with CSS alone.

Re:If you didn't want your browser history detecte (1)

Pojut (1027544) | more than 3 years ago | (#32265456)

how is this information used maliciously, excluding advertising?

Many people consider advertising to be a malicious use.

Personally, I don't mind my information being used for advertising. Living in 2010, it's an unavoidable fact of life that we are going to encounter advertising everywhere. I would much rather it be for products and services that I actually have an interest in rather than stuff I don't care about.

Re:If you didn't want your browser history detecte (0)

Anonymous Coward | more than 3 years ago | (#32265636)

You silly sod.

Advertising puts the idea of the product they are trying to sell, into your head. It may be that you 'want' the thing once it is there but before the advertiser got to work on you, there is every likelihood that you would have been perfectly happy without the product.

You really have no idea how advertising works do you. They must love you.

Re:If you didn't want your browser history detecte (1)

Pojut (1027544) | more than 3 years ago | (#32265788)

You silly sod.

Advertising puts the idea of the product they are trying to sell, into your head. It may be that you 'want' the thing once it is there but before the advertiser got to work on you, there is every likelihood that you would have been perfectly happy without the product.

You really have no idea how advertising works do you. They must love you.

My point is I would rather see advertising about a new motherboard or a speaker set rather than tampons or life insurance.

Re:If you didn't want your browser history detecte (1)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#32265924)

I second the above opinion. your will is your own, but please, stop Microsoft from showing me ad's for funeral homes in Georgia. I really, really don't care.

Re:If you didn't want your browser history detecte (3, Funny)

daremonai (859175) | more than 3 years ago | (#32266376)

Yeah, if I see those ads one more time I think I'll die!

Hey, wait a second ....

Re:If you didn't want your browser history detecte (1)

rickb928 (945187) | more than 3 years ago | (#32265958)

Yuh. I go to look for a particular designer's eyeglass frames, and I don't get ads for that designer's frames, nor do I get ads for eyeglasses or even sunglasses.

I get ads that send me to link farms, malware hatcheries, FAKE shopping sites, etc. Seems the evil advertisers pay more to get to the top of the list.

Pus.

Re:If you didn't want your browser history detecte (1)

element-o.p. (939033) | more than 3 years ago | (#32267258)

Advertising is just a Jedi mind trick; it's only effective in the way you suggest if you are rather weak-minded.

Personally, I find that advertising is only effective once I am already in the market for something (i.e., my car just threw a transmission, and now I am shopping for another one). It is very rare indeed that I see an ad for something and start thinking, "Wow...I could really use one of those." YMMV, of course, but if you often find yourself desperately "needing" something once you saw an ad for it -- even though you were perfectly happy without it until you saw the ad -- then I have a couple of droids that you aren't looking for.

Re:If you didn't want your browser history detecte (2, Insightful)

boxwood (1742976) | more than 3 years ago | (#32267504)

But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

Those little jingles and slogans may not even pop into your head while test driving but they're there and have an influence over your purchasing decision. Sure you'll look at the price and all the other considerations, but if the Mazda is only a couple of hundred dollars more but it just felt more fun to drive, well you'll pay the extra to get the zoom zoom.

Re:If you didn't want your browser history detecte (1)

gorzek (647352) | more than 3 years ago | (#32267798)

All the above only means that you should do research before making a major purchase. If you go to a car dealership, totally uninformed about what you want and just base everything on your gut instincts, you deserve what you get.

Read the reviews, read Consumer Reports, do a bunch of test drives. For God's sake, if you're going to drop five or six figures on something, make sure it's really what you want and need!

Re:If you didn't want your browser history detecte (0)

Anonymous Coward | more than 3 years ago | (#32268244)

There is absolutely no proof that advertisement actually work.

Companies don't advertise because it works, they advertise because it might work. They don't take the chance.

There are however some parts of advertisement that do work. People need to know that a product or brand exist to actually buy it.

Re:If you didn't want your browser history detecte (1)

Carnildo (712617) | more than 3 years ago | (#32269338)

But when looking for a new car you get certain feelings about certain brands. When you're looking at a chevy truck you'll get a feeling that its really solid (Like a Rock!) that Ford looks like its durable (Ford Tough!) and when you look at a mazda you'll get the feeling that this car has really got some pep (zoom! zoom!).

Maybe you do. I don't.

It might be the fact that I see maybe a hundredth as many ads as the typical person, but my impressions of products are shaped more by cultural osmosis than by marketing slogans (American automakers don't make quality vehicles; Japanese automakers know quality, but never got the hang of pickup trucks).

Re:If you didn't want your browser history detecte (0)

Anonymous Coward | more than 3 years ago | (#32267312)

how about when your health insurance is dropped because you visited a cancer web site.

Re:If you didn't want your browser history detecte (4, Insightful)

Nadaka (224565) | more than 3 years ago | (#32265562)

People generally use the same or similar usernames and passwords for most of their online identities. If you you know someone in particular uses facebook.com, hotmail.com, kittenwar.com and randombank.com you can use facebook and kittenwar as attack vectors against their email and banks. Alone, history sniffing does not present a huge threat. But it can dramatically increase someones vulnerability to identity theft.

Re:If you didn't want your browser history detecte (0)

Anonymous Coward | more than 3 years ago | (#32266760)

Well, and who wants any other site to know what porn sites they visit?

Re:If you didn't want your browser history detecte (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32268128)

Another type of sniffing that is useful is ass-sniffing. From the gases emitted from a user's anus, one can deduce the types of foods the user consumes. This can be used to answer user's privacy protection questions like "What is your favorite food?" or "What kinds of foods give you gas?"

Re:If you didn't want your browser history detecte (1)

aztracker1 (702135) | more than 3 years ago | (#32268772)

I use a different set of passwords depending on importance. I treat my online "social website" identities like public information, don't put what I wouldn't want found up. If more people simply did that, it'd be a lot easier.

Re:If you didn't want your browser history detecte (1)

thetoadwarrior (1268702) | more than 3 years ago | (#32269020)

It only detected 2 out of 20+ sites I visited since last clearing out my cache (slight porn guilt makes me do it every so often) both of which have passwords I use only for those sites. I don't really care if someone gets my slashdot account details or twitter details. It's certainly not the end of the world.

10 years = nothing done (2, Interesting)

TheMeuge (645043) | more than 3 years ago | (#32265822)

I am not a programmer... but it seems absolutely amazing to me that since this vulnerability has become known (10 years?) nothing has been done to address it. The only two ways to avoid having your history accessed this way, is either to prevent your browser from marking sites as "visited" altogether, or to regularly delete your browsing history.

How is it that Firefox, an open-source browser, still hasn't had this issue fixed in all these years?..

Re:10 years = nothing done (3, Insightful)

GungaDan (195739) | more than 3 years ago | (#32265880)

Doesn't unchecking the "keep my history" button under "privacy" take care of this?

Re:10 years = nothing done (2, Informative)

TheCycoONE (913189) | more than 3 years ago | (#32266042)

http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx [msdn.com] is an article on the subject.

Essentially the vulnerability is a feature of the spec. Even without JavaScript or cookies, the CSS specification allows a web developer to specify that a particular icon/cursor/background-image should be shown for visited links. The exposure is that the client only downloads resources when they are needed to preserve bandwidth, and the server knows what has been requested from it, so I could put in then put somewhere in my css #google:visted { background: url("userwenttogoogle.png"); } [google.com]

The problem is the only way to protect against the vulnerability is to remove features which are part of the spec (potentially breaking legitimate and standard compliant web pages), to download all resources (wasting lots of bandwidth), or putting the user in control (probably more annoying than useful as most users won't understand the dialog)

Re:10 years = nothing done (0)

Anonymous Coward | more than 3 years ago | (#32266286)

or to write an extension, similar to noscript that whitelists :visted url.

Or a checkbox to disable :visited pseudo class. I find it's not really that useful anyway.

Re:10 years = nothing done (2, Insightful)

Qzukk (229616) | more than 3 years ago | (#32266916)

I think the most appropriate way is to prevent :visited from applying to any URL not within the current domain.

Re:10 years = nothing done (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32267548)

The problem with that is that will break the page layout for any links which are external to your site. I think the best way to handle it would be to preload all :visited related images at page load. Needed or not. This will result in expected page layout, and it won't be possible to infer which links where already visited. Possibly a memory hog, but browsers can also detect when a page tried to load 10,000 :visited related images and flag as possibly malicious.

Re:10 years = nothing done (1)

Logic and Reason (952833) | more than 3 years ago | (#32266298)

But browsers could be made to download just :visited images, as a security-related exception to the "download as needed" policy. This shouldn't affect performance at all, since sites that actually do this for "legitimate" reasons should be vanishingly rare.

Re:10 years = nothing done (3, Informative)

psbrogna (611644) | more than 3 years ago | (#32266566)

I don't think you're correct in your list of options for protecting against the vulnerability. As a general principal, client side code from an untrusted source (ie. the web) should only have access to client side content which originated from the same source. In the case we're talking about, the content has been modified by the client based on private client state (ie. visited links), at this stage, the content should no longer be accessible to the code. If the rendering pipeline were more compartmentalized (ie. think XSLT translation steps), then code in one department wouldn't have access to content that has been modified based on private client state.

In this manner, the client environment could modify the content at will (ie. changing style for links to web sites you've been to, blocking ads, stripping flash, turning off client side code functionality entirely, etc.) without fear of what's being harvested or inferred. I don't know what a client's browser does to a dom to make it consumable by the deaf or blind, but if that's something that can be detected by untrusted code then I believe it's another example of violating a user's privacy.

Re:10 years = nothing done (3, Informative)

tuomasb (981596) | more than 3 years ago | (#32266798)

Here is a demonstration of the hack using only CSS: http://ha.ckers.org/weird/CSS-history.cgi [ckers.org] You can also use: background: url"(logger.php?site=pornsite.com"); No need for the background to be a real image. This even works if you're using Noscript with Firefox.

Re:10 years = nothing done (1)

weicco (645927) | more than 3 years ago | (#32268478)

All I'm getting is "The following sites were visited:" and then nothing. I'm not impressed :)

Re:10 years = nothing done (1)

element-o.p. (939033) | more than 3 years ago | (#32267294)

...or to regularly delete your browsing history.

Maybe I belong in the tin-foil hat crowd, but I have my browser set to do this every time I close it.

Re:10 years = nothing done (0)

Anonymous Coward | more than 3 years ago | (#32267664)

Who closes their browser? With 8-12 GB of ram, my browser only closes upon crash or quarterly reboot for kernel updates.

Re:If you didn't want your browser history detecte (1)

metrometro (1092237) | more than 3 years ago | (#32267646)

1) Spear-phishing. When I threw my browser (Chrome) at it, it spit back a list of specific pages at online vendors. From there, you can make some pretty good guesses about things I've bought lately: in this case, a Dell laptop. I wouldn't click on a recall notice from Dell (register for a replacement kit!), but a lot of people would go down that rabbit hole.

2) Same-password attack. Site A requires login, scrapes list of your recently used sites, then tries the same user/password at B, C, D from your history.

Re:If you didn't want your browser history detecte (1)

thetoadwarrior (1268702) | more than 3 years ago | (#32268986)

According to their link it isn't even that good. It showed that I came here and twitter meaning it missed out about 20+ other sites. Considering I didn't do much at all at twitter and I don't who knows I come here, I'm not too worried.

Chrome 5 (4, Interesting)

binkzz (779594) | more than 3 years ago | (#32265350)

Using Chrome 5 development version, the site says it can't find any history on my machine at all (not using incognito).

Firefox, on the other hand, has a potty mouth.

Re:Chrome 5 (0)

Anonymous Coward | more than 3 years ago | (#32265466)

Using Firefox 3.7a5pre development version, the site says it can't find any history on my machine at all (not using private browsing mode).

Chrome, on the other hand, has a potty mouth.

Re:Chrome 5 (0)

Anonymous Coward | more than 3 years ago | (#32267470)

Alpha build? Are you kidding? I cannot even locate that version on Mozilla's site. Is it a nightly build or something?

At least the Chrome betas are actually used -- probably more than release builds themselves. Chrome betas are always 100% stable.

English as Second Language (4, Insightful)

rueger (210566) | more than 3 years ago | (#32265362)

Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

Re:English as Second Language (5, Funny)

Anonymous Coward | more than 3 years ago | (#32265646)

In other words, I'm vulnerable to a sexual attack by Scarlett Johansson. Unfortunately, I've never been affected by such an attack.

Re:English as Second Language (3, Funny)

olsmeister (1488789) | more than 3 years ago | (#32267274)

You're also vulnerable to a sexual attack by Mr T. However I hope you are never affected by that attack either.

Re:English as Second Language (0)

Anonymous Coward | more than 3 years ago | (#32268310)

Well, unless you want to be of course. Not that there's anything wrong with it.

Re:English as Second Language (0)

Anonymous Coward | more than 3 years ago | (#32269326)

Hey Taco! "Vulnerable" and "Affected by" are not synonyms.

The Spanish expression for "affected by" is not interchangeable with the Spanish expression for "vulnerable". I'm not sure why this was modded insightful.

vulnerable != affected (5, Informative)

chebucto (992517) | more than 3 years ago | (#32265368)

TFA describes a honey-pot based study. It doesn't describe a real-world study of people whose browser histories were actually stolen by actual malicious websites.

Terrible headline. (0, Redundant)

maxume (22995) | more than 3 years ago | (#32265374)

76% are vulnerable, it hasn't been demonstrated that someone is using this technique for nefarious purposes (or at least, effectively using it, maybe some nerd somewhere sniffed some peoples browser history).

Then there is the part where finding out someone used Facebook, Yahoo and Google doesn't tell you much. I suppose, knowing they Google'd for prostitutes would be of some use, but good luck constructing that exact url.

94%? (4, Funny)

Thanshin (1188877) | more than 3 years ago | (#32265394)

In today's news:

Just a small sliver of web users are victims of Browser History Stealing. Most are running Windows 7, connecting through an IPhone and paying Facebook for the privilege.

Uh oh... (1)

elrous0 (869638) | more than 3 years ago | (#32265452)

Does this mean that potentially hundreds of sites know that I visit slashdot regularly?!?!?

Well, there goes my bad boy persona.

Re:Uh oh... (0, Offtopic)

RJFerret (1279530) | more than 3 years ago | (#32265598)

Nah, it was the collection in your history of Disney.com, gurl.com, Barbie.com, JustinBieberMusic.com, GirlsOnlyForum.com...actually...the gurl.com in there might enhance your "bad girl" persona.

When you played the barbie dress up game, did you dress her as a rocker chick?

To be fixed in a future Firefox version (5, Informative)

Anonymous Coward | more than 3 years ago | (#32265472)

According to http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ a future version of Firefox will address the :visited privacy issue.

One could also set layout.css.visited_links_enabled=false via about:config to disable :visited completely (at least until the issue is fixed in a future Firefox release).

Re:To be fixed in a future Firefox version (0)

Anonymous Coward | more than 3 years ago | (#32265540)

set layout.css.visited_links_enabled=false via about:config ... (Firefox)

Mod parent up. Helpful.

Re:To be fixed in a future Firefox version (1)

darkinnit (710102) | more than 3 years ago | (#32265778)

Is there anyway to implement a similar workaround in Chrome, Opera, Safari and dare I ask... IE?

Re:To be fixed in a future Firefox version (0)

Anonymous Coward | more than 3 years ago | (#32265876)

So what does this affect in terms of browsing experience?

Re:To be fixed in a future Firefox version (1)

Millennium (2451) | more than 3 years ago | (#32266950)

So what does this affect in terms of browsing experience?

Visited links would look the same as unvisited ones.

Re:To be fixed in a future Firefox version (0)

Anonymous Coward | more than 3 years ago | (#32266964)

WHHHooopty shit.

Re:To be fixed in a future Firefox version (1)

Millennium (2451) | more than 3 years ago | (#32267032)

Yeah, I don't see it as all that much of a loss either, but someone asked, so I answered.

Re:To be fixed in a future Firefox version (2, Insightful)

CKW (409971) | more than 3 years ago | (#32267190)

It used to be an important/useful feature of the web/html -- until "website designers" decided that they didn't like the look and started making certain that all links looked the same, and other things that also made it stop working.

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

This was grossly unintentional right? Someone didn't choose to implement this specific behaviour, right?

Re:To be fixed in a future Firefox version (1, Informative)

Anonymous Coward | more than 3 years ago | (#32267490)

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

But you can do more than just colour the links. You could do things like, for example, display a different link image depending on whether or not the link has been visited. In that case, it is still the browser that is making the decision which image to display, but then it has to retrieve the appropriate image from the server. Now, the server sees which image is being retrieved, and therefore knows the visited status of the link.

Re:To be fixed in a future Firefox version (1)

amorsen (7485) | more than 3 years ago | (#32267670)

I have a question - why the ****** does a website need to have/see/retreive the list of URLs I've been at in order to do this - coloring links is a browser side feature! The only thing a website needs to do is suggest which colors to use for said links.

They don't retrieve the list. The web site just makes a link with a :visited attribute which says e.g. that visited links should show a certain background image. And then they wait for the image requests...

Re:To be fixed in a future Firefox version (5, Informative)

boxwood (1742976) | more than 3 years ago | (#32267730)

the website doesn't get a list of websites.

what happens is the server sets the visited link to show an image, while the unvisited link doesn't. The browser sees that an image is supposed to be displayed for the visited site, checks its history, sees that you have indeed visted that site and then downloads that image to display on the link. The server sees that you downloaded visited-slashdot.png... so it knows you have visited slashdot.

Of course visited-slashdot.png doesn't even need to exist, it just needs to see the request for that file from your browser to know you've been there.

Really CSS just shouldn't allow different images for visited and unvisited links... nobody uses this feature.

We Need to take more care of our browsers (1)

Azarman (1730212) | more than 3 years ago | (#32265476)

Today is a day, First chrome not hiding you correctly and now all your visited pages are being displayed via ccs:hover. The problem is as we get more "user-friendly" we take short cuts and become lazy, my personal approach to this is to have my most visit websites in my Fav's list and set Firefox Chrome and IE to different roles. For example I use firefox for work (logmein), IE is there for the bad websites that still dont load correctly in other browsers and Chrome for general browsing (threaded tabs for the win!!) All are set to delete all history when they are closed, this does get annoying to have to log in to everything all the time however I know all my passwords off by heart, never have to write them down because I am always using them and can get to all my websites via favs. Leaving your history and cookies is just lazy and my understanding is that if you delete this data you dont have these problems. Also sidenote, could i publish an add via google with CSS hover to harvest this information? not sure what i would do with it but I am sure you could get a lot of information this way.

Re:We Need to take more care of our browsers (0)

Anonymous Coward | more than 3 years ago | (#32266168)

:hover isn't what gets people in trouble, it is :visited. This is not exploitable directly through google ads. If you could modify the CSS of a google ad you'd see a lot of horrible ads a lot worse than a little :visited history abuse.

WTF? (1, Redundant)

foghorn19 (108432) | more than 3 years ago | (#32265534)

"A study of 243,068 users found that 76% of them were vulnerable to history detection by malicious websites."

Vulnerable != affected

I'm pretty sure... (1)

The MAZZTer (911996) | more than 3 years ago | (#32265572)

...fixes have landed in Firefox and Chrome trunks for this problem. Chrome's should be in the beta branch, or at least the dev branch, not sure about Firefox's. The Bugzilla link confirms Firefox has the fix (not sure which Firefox release Gecko 1.9.3 corresponds to... latest 3.6 mayve?

Can't test right now since the test site isn't on my company's firewall whitelist...

Re:I'm pretty sure... (0)

Anonymous Coward | more than 3 years ago | (#32266742)

company's firewall whitelist

Smart company if you ask me.

Site whitelists solve much more problems than they cause in comparison to blacklists.
And this is equally likely to stop any websites stealing your information, unless a trusted site gets the hax.

Links browser (0)

Anonymous Coward | more than 3 years ago | (#32265588)

Does the CSS visited trick work in the Links [wikipedia.org] browser?

< re-fitting tin-foil hat >

couldn't try (0)

Anonymous Coward | more than 3 years ago | (#32265596)

slashdotted link.

With Chrome (0, Flamebait)

fustakrakich (1673220) | more than 3 years ago | (#32265740)

This is a feature...requested by the advertisers...

Look, just give it up already. Everything you do is being tracked, by somebody, anybody that's interested.. You can't hide anything from your service provider, so it doesn't matter what your browser coughs up

Re:With Chrome (3, Funny)

John Hasler (414242) | more than 3 years ago | (#32265844)

> Look, just give it up already. Everything you do is being tracked, by
> somebody, anybody that's interested.. You can't hide anything from your
> service provider...

I rather doubt that my ISP or anyone else knows my private GPG key.

Re:With Chrome (1)

SirWhoopass (108232) | more than 3 years ago | (#32266156)

I don't see how that prevents them from know which web sites you have been visiting.

I'll bet that if the majority of browsers ever stopped storing history data then Cox and Comcast would readily agree to log it and sell it to the advertisers.

Re:With Chrome (0)

Anonymous Coward | more than 3 years ago | (#32267612)

Is it 1-2-3-4-5?

Re:With Chrome (2, Insightful)

Tim C (15259) | more than 3 years ago | (#32266340)

There's a difference between my service provider potentially having the information, and some random website I happen to visit having it.

Can't...imagine...caring... (3, Insightful)

RapmasterT (787426) | more than 3 years ago | (#32266534)

I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

that's like calling my garbage being stolen every week when the big truck comes and takes it away.

Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

Re:Can't...imagine...caring... (0)

Anonymous Coward | more than 3 years ago | (#32267598)

Well, you know what they say. Those who cry the loudest are affected the most.

Maybe these people should stop visiting www.furriesgossip.com.

Re:Can't...imagine...caring... (1, Informative)

Anonymous Coward | more than 3 years ago | (#32267616)

I tried...I tried really hard and almost soiled myself with the effort, but I just can't care about my browser history being "stolen".

that's like calling my garbage being stolen every week when the big truck comes and takes it away.

Hell, the more time people spend stealing browser histories is time they're not spending doing something I do care about, so keep at it!

Not only that, it's not actually being "stolen". It's more like it's vulnerable to a game of "Fish". Sites can basically "query" your history looking for particular URLs, and the history will simply say "yes" or "no" to indicate whether a specifically requested URL is in the history.

So, yes, feel free to not give two shits, just like I do.

Re:Can't...imagine...caring... (1)

DigitAl56K (805623) | more than 3 years ago | (#32268042)

Do you religiously log out of every authenticated site you visit? What if one passes you through a page that puts your login token in a page URL at any point in time? What if your favorite social networking site, known for sharing your private data, suddenly learned of all the items you've been viewing on Amazon or all the news articles you've been reading?

What if you're in China and after browsing some sites you weren't supposed to you hit a government site and it pulled your history and that included some personally identifiable ID (like your facebook ID, or your MySpace URL, for example).

Re:Can't...imagine...caring... (0)

Anonymous Coward | more than 3 years ago | (#32269202)

Do you religiously log out of every authenticated site you visit?

Yes, and this is irrelevant.

What if one passes you through a page that puts your login token in a page URL at any point in time?

Impossible to detect. The exploit works by doing a brute-force dictionary attack on the viewer's history.

What if your favorite social networking site, known for sharing your private data, suddenly learned of all the items you've been viewing on Amazon or all the news articles you've been reading?

Once again, (nearly) impossible. I don't use any social networking sites. And if I did, I still wouldn't give a shit about the entire world discovering my Amazon list. I don't keep my political leanings a secret.

What if you're in China and after browsing some sites you weren't supposed to you hit a government site and it pulled your history and that included some personally identifiable ID (like your facebook ID, or your MySpace URL, for example).

This is beginning to resemble the moon-landing hoax theory. I don't live in China. If I did live in China, I would have greater things to worry about. But I grant you, I would worry, if I was not already indoctrinated.

Re:Can't...imagine...caring... (1)

masterwit (1800118) | more than 3 years ago | (#32269250)

Great, now we have to worry about intellectual rights regarding my history. I really do not think someone "stole" my history, they just made a copy of it. Since my history still functions just fine, I do not have a problem with this!

Why not just drop the visited attribute on links? (1)

bpeikes (596073) | more than 3 years ago | (#32266756)

Browsers should just drop support for that attribute. As a matter of fact, why have any attributes that rely on generic browsing info. If a website wants to track which links I've visited, then show them to me via redirect and keep a list of which redirect links show up. How important is having a browser visually indicate which links I've visited? visited is just about as important as supporting the blink tag....Wait, blink isn't supported anymore.

Re:Why not just drop the visited attribute on link (1)

amorsen (7485) | more than 3 years ago | (#32267696)

Visited is very useful for mailing list archives. If you try to follow a thread you can keep clicking next and previous and so on, and you can tell by the colour of the link whether you've read it before.

My solution (0)

Anonymous Coward | more than 3 years ago | (#32266806)

Use a different browser for each website.

Slashdot ratings up (1)

Vapon (740778) | more than 3 years ago | (#32267024)

anyone wonder if that site is checking our browser history while we read the article? Slashdot.org will be the most popular site according to statistics by the end of the day.

Clear the history (1)

Murdoch5 (1563847) | more than 3 years ago | (#32267402)

Have the history clear it's self ever 2 min, it's what I do on my Box, sure it's annoying to have to log in constantly but on the other hand it's secure.

Explains why my browser history is always empty! (1)

noidentity (188756) | more than 3 years ago | (#32268686)

Finally, an explanation as to why my browser history is always empty. It's being stolen by someone! I wonder if I can have it returned.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...