After the example of making-the-web, I was quite intrigued by the ease of sniffing the history via simple CSS tricks.
So I decided to test, how small I get a Python program which can sniff the history via CSS - without requiring any scripting ability on the browser-side.
I first produced fully commented code (see server.py) and then stripped it down to just 64 lines (server-stripped.py), to make it really crystal clear, that making your browser vulnerable to this exploit is a damn bad idea. I hope this will help get Firefox fixed quickly.
It currently only checks for the 1000 or so most visited websites and doesn't keep any logs in files (all info is in memory and wiped on every restart), since I don't really want to create a full fledged history ripper but rather show how easy it would be to create one.
Konqueror seems to be immune: It also (pre-)loads the "visited"-images from not visited links, so every page is seen as visited - which is the only way to avoid spreading my history around on the web and still providing “visited” image-hints in the browser!
Firefox 4.0.1 seems to be immune, too: It does not show any :visited-images, so the server does not get any requests.
So please don't let your browser load anything depending on the :visited state of a link tag! It shouldn't load anything based on internal information, because that always publicizes private information - and you don't know who will read it!
In short: Don't keep repeating Ennesbys Mistake:
(comic strips not hosted here and not free licensed → copyright: Howard V. Tayler)
And to the Firefox developers: Please remove the optimization of only loading required css data based on the visited info! I already said so in a bug report, and since the bug isn't fixed, this is my way to put a bit of weight behind it. Please stop putting your users privacy at risk.
To get more info, just use ./server.py --help.
Diese Seite nutzt Drupal.
Design: Arne Babenhauserheide.
Werke von Arne Babenhauserheide.
Lizensiert unter freien Lizenzen.