InformAction Forums

[luntrus]

Hi Giorgio Maone,

Hello I have come to join you here.
As you know every modern browser to-day has a so-called "pr0n"-button aboard in order to leave no surfing-traces behind,
but websites are now very well able to record who it is that is trying to surf "anonymously".
The way this is being done is by offering some-one to visit a unique, never before seen URL,
and then check whether that link has been visited through CSS.
That specific link will then have another color.
Isn't that the case, then that means that Private Browsing, InPrivate or InCognito mode has not been active.
"Not a very serious issue, but interesting enough to mention in case some-one wants to embroider further on this concept", according to security researcher Jeremia Grossman.
http://jeremiahgrossman.blogspot.com/20 ... -mode.html
Together with his colleague Collin Jackson he designed the following web-page:
http://crypto.stanford.edu/~collinj/research/incognito/
that is able to detect if you use of the "pr0n"-button or not,
Do we have protection through NoScript also against other forms of likewise CSS-abuse?
Aren't browser users not becoming more and more transparent?
Where would we be without the NoScript extension?

luntrus

[Giorgio Maone]

NoScript does block the specific PoC, which relies on JavaScript.
With some additional effort you can detect the same info without using JavaScript: in that case, there's nothing you can do about it.
Notice, though, that this is really an almost ridiculous issue, if compared with the ability of tracing the sites you've actually visited which is possible outside the "Incognito" mode (and defeated by SafeHistory and SafeCache).

[bazzargh]

That page doesn't actually detect if PB mode is on, it detects if visited links can be discovered, which is an orthogonal issue.

For example, it reports false positives if either layout.css.visited_links_enabled or browser.display.use_document_colors is false. There's probably other ways to trip it up. See https://bugzilla.mozilla.org/show_bug.cgi?id=147777 for more info about the visited_links_enabled pref.

-Baz

[luntrus]

Hi bazzargh,

As Giorgio Maone mentioned when it is done via JavaScript there is no problem, because NoScript perfectly takes care of that one and similar issues; as a more permanent solution to the visited links issue at hand -

Copy the code below as css file at /Users/luntrus/Library/Application Support/Firefox/Profiles [random].default/chrome

Code: Select all

/* visited link stuff */
#board_wrap a { color: #03c !important; }
#board_wrap .board td { color: #000 !important; }
#board_wrap .board a:link { color: #000 !important; }
#board_wrap .board a:visited { color: #03c !important; }
#board_wrap .message a:visited { color: #000 !important; }
#board_wrap .searchtopics a { color: #000 !important; }


source: http://www.ksot.com/AdBlocks.html
Can you comment to this?

luntrus

[Giorgio Maone]

@luntrus:
No CSS hack can defeat attacks leveraging the :visited CSS selector. Some of them may help against a single well known payload, but there are several ways (both scriptless and using JavaScript) to work around, e.g. using descendant selectors and background images to notify the "spying" party.
As I said, the most useful approach to block the history sniffing attacks is using SafeHistory.
Jeremiah's article shows that SafeHistory (like Incognito), or more precisely the fact we're disabling either globally or selectively history logging, can be detected by a remote sniffer -- not that I'm overly worried about that, considering pros and cons.

[mik33mik]

Hi,
Torbutton addon prevents this issue

[Giorgio Maone]

Hi,
Torbutton addon prevents this issue

How does it, exactly?

[mik33mik]

The result of the test (Jeremiah Grossman) is "Private Browsing mode is ON" either with private browsing ON, or OFF (it's a false positive).
You must check Block History Reads during Non-Tor in torbutton preference.
You can also test torbutton with this poc:

Code: Select all

http://ha.ckers.org/weird/CSS-history.cgi

In this page you can read the Torbutton Design Documentation

This component was contributed by Collin Jackson as a method for defeating CSS and Javascript-based methods of history disclosure. The global-history component is what is used by Firefox to determine if a link was visited or not (to apply the appropriate style to the link). By hooking the isVisited and addURI methods, Torbutton is able to selectively prevent history items from being added or being displayed as visited, depending on the Tor state and the user's preferences.

This component helps satisfy the State Separation and Disk Avoidance requirements of Torbutton

Ciao

[Giorgio Maone]

The result of the test (Jeremiah Grossman) is "Private Browsing mode is ON" either with private browsing ON, or OFF (it's a false positive).

Not exactly: from the test's standpoint, it's ON because TorButton is doing more or less the same thing as Private Browsing and Safe History (i.e. blocking History recording).

In other words, I may declare that I can detect the presence of TorButton (which for people who are very concerned about privacy, i.e. all the TorButton users, is even worse than detecting Private Browsing) and then say that "Private Browsing prevents this issue"

By hooking the isVisited and addURI methods, Torbutton is able to selectively prevent history items from being added or being displayed as visited, depending on the Tor state and the user's preferences.

In other words, TorButton use the very same technique as SafeHistory, and this is not surprising since history sniffing is a major attempt to privacy, which is the main concern of TorButton.

[luntrus]

Hi mik33mik,

A proposed 'domain tagging' - make 'visited' links only look 'visited' when they point to documents in the same domain as the current page. This would be a severe blow to the functionality and usability expected of visited links. What is the interference of RequestPolicy blocking in this case?

luntrus

[mik33mik]

Hi,
yes, the eternal struggle: privacy VS functionality, it's a very subjective choice.

About the question concerning RequestPolicy, it doesn't interfere with browser history setting.