
Show HN: A Simple Website for Checking Cloudbleed from Browser's History - cloudvrfy
https://cloudbleed.github.io/
======
xbonez
My first reaction when I read the title was that there is no way I'm giving my
browser history to some arbitrary website.

But I see you're using the :visited pseudo-class. That's actually quite
genius!

~~~
richdougherty
Right, so this site uses CSS selectors to show the user a different colour for
each site they've visited.

In the past the site would also be able to access the different style
information rendered by the browser and use it to find out which sites you'd
visited. Luckily that privacy leak was patched up a while ago:
[https://blog.mozilla.org/security/2010/03/31/plugging-the-
cs...](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-
leak/)

Now you'd have to do something like use timing attacks on the browser's
cache... :)

~~~
btown
Or, since you're encouraged to hover or click on each highlighted block,
Javascript could leak your information once you interact. There's no
protection from the human-in-the-loop leaking their own privacy.

------
nsgi
There are some false negatives here as they're linked to without the www. I
haven't visited [https://okcupid.com](https://okcupid.com) but I have visited
[https://www.okcupid.com](https://www.okcupid.com). Therefore, it doesn't have
a red dot when it should.

~~~
cloudvrfy
For a temporary fixed, I prepend 'www.' to all the links. It could be improved
by having all the related frequently-used url of the sites listed e.g. other
subdomains. Thanks!

~~~
taberiand
This breaks where the link is a subdomain e.g., www.news.ycombinator.com

~~~
cloudvrfy
Fixed it. Thanks!

------
kpcyrd
Cool usecase for the css history feature :)

@author: Some sites are listed multiple times, like getbootstrap.com

~~~
cypherpunks01
Agreed, nice job!

Blockchain.info and coinbase.com also appear to be dupes in my listing.

------
ComputerGuru
Ugh I didn't realize clicking randomly on the heart would take me to a porn
site. The only red for me was HN.

~~~
zer0t3ch
HN is in the list? I'm here all the time and I don't see a red HN dot.

~~~
chrisper
It's because he broke it. He changed it so it puts www in front of all
domains. But that won't work for all domains

~~~
zer0t3ch
Ah, okay.

------
libeclipse
Interestingly, news.ycombinator.com is showing as red.

------
gingerlime
One thing I didn't see discussed at all (mind you, there were thousands of
comments on various threads) was crowd sourcing the search for exploited
domains in people's browser cache (as opposed to search engine and archive
caches).

If I understand this, it "simply" matches against the already known list of
known to have leaked domains. Right? But what about potential other leaks that
didn't get cached by search engines but that might live in people's caches??

------
tlrobinson
Neat.

FYI there are a bunch of duplicates, like Cloudflare itself, Hacker News,
Medium, Codepen (just a few of the ones I've actually visited)

~~~
smt923
I noticed for me discord's site and laravel was also duplicated

------
eridius
One of the included sites is agilebits.com, but they're not actually
vulnerable (all of the important traffic there is encrypted separately so even
with TLS broken their users aren't vulnerable).

------
iLoch
Why Cloudbleed and not Cloudburst? Seems like a missed opportunity (though I
understand it's a reference to Heartbleed.)

------
foota
Would be interesting to see an extension with browser history access to search
through your history for actual leaked data.

------
doubleunplussed
I've been to hackernews and transferwise, but I don't see red blocks for them.

~~~
cloudvrfy
Fixed the url of hacker news and changed the url of transferwise. Thanks!

------
kristianp
I'm not getting any different colours, in Chrome 56.

