Sniffing Browser History with NO Javascript

General discussion about the NoScript extension for Firefox
User avatar
phule
Junior Member
Posts: 35
Joined: Sun Jun 07, 2009 6:45 pm
Location: Missouri, USA

Sniffing Browser History with NO Javascript

Post by phule » Sun Jun 14, 2009 1:00 am

There's a link to an interesting article called 'Sniffing Browser History with NO Javascript' on http://slashdot.org at http://www.making-the-web.com/misc/site ... isit/nojs/ The article claims that NoScript won't defeat this method.
Phule
FireFox 56.0,NoScript 5.1.2, BetterPrivacy-1.77
Adblock Plus 2.9.1. Mac OS X 10.12.5
Apple iMac 2.7 GHz Intel Core i5
8 GB 1066 MHz DDR3 RAM
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Sun Jun 14, 2009 1:11 am

Really really old news. As I already repeatedly commented on the Mozilla bug, the SafeHistory way is the only feasible approach.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Sniffing Browser History with NO Javascript

Post by Alan Baxter » Sun Jun 14, 2009 1:18 am

http://hackademix.net/2009/05/08/start- ... ment-12556
But since it’s possible, even though slow and unpractical, performing the same trick without using JavaScript, the only full-blown protection is SafeHistory
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Sniffing Browser History with NO Javascript

Post by luntrus » Mon Jun 15, 2009 9:49 pm

Hi Alan Baxter,

How this privacy-leakage is performed is very simple. The only thing a website needs to do is loading a hidden iframe with many, many links. Whenever a link has been visited before, a background pre-defined inside the CSS is loaded. This "background" will log the information and will save it accordingly. This page shows the attack as it evolves:
http://www.making-the-web.com/misc/site ... isit/nojs/
But it can also be done on a "normal" page using viewstate.

Edit:webdeveloper does not offer a possibility to globally set n overruling css, the Fx plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make the following (global) style:

Code: Select all

a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}


O.K. that works, but there is yet another way to block this with an extension, named: RefControl. There you can set globally and on a per site basis what the referring header should be. This could be for instance enforce root of the site (block third party- etc.), so for example htxp://www.asIlike_tosee it. com/ and it that will hamper functionality sometimes the real referrer.

There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore,
So there are more ways to kill the proverbial cat,

It is a pity that we have to be educated about all the possibilities (like Giorgio and some others here) to be protected against these issues,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090615 Shiretoko/3.5pre

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Mon Jun 15, 2009 10:09 pm

luntrus wrote:the Fx plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make the following (global) style:

Code: Select all

a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}

O.K. that works,

No it doesn't, for instance:

Code: Select all

#playboy:visited span { bakground-image: url(/log.php?url=playboy.com) }
#google:visited > div { list-style-image: url(/log.php?url=google.com) }

and their infinite variations.
luntrus wrote:but there is yet another way to block this with an extension, named: RefControl

Absolutely not. The HTTP Referer header has nothing to do with history sniffing.

luntrus wrote:There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore,

Sorry, that's incorrect too. This trick is not related to Meta Redirects either.
luntrus wrote:So there are more ways to kill the proverbial cat,

Unluckily not.
I've considered adding some protection against this "attack" three years ago, when it was "revealed" by my friend Jeremiah Grossman.
However I gave up because there was no "simple" solution as everyone who see this for the first time (or see it again after forgetting about it) seem to believe.
The only effective approach, as I said multiple times, is SafeHistory. Period.
If SafeHistory stops being actively developed (as it seems), I can consider taking over its development and/or integrate it in NoScript, but I've got to find the time: NoScript's TODO list is nearly infinite, despite some moronic slanders which some people keep spreading...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Sniffing Browser History with NO Javascript

Post by luntrus » Mon Jun 15, 2009 10:27 pm

Hi Giorgio Maone,

Good I posted this, because some wrong assumptions I have found were debunked. Thank you so much for setting the record straight,

polonus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090615 Shiretoko/3.5pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Sniffing Browser History with NO Javascript

Post by Tom T. » Mon Jun 15, 2009 11:15 pm

@Giorgio: Please ignore the moronic slanders and stay focused on what you are doing with NoScript. Then, "res ipsa loquitur" (it will speak for itself... to anyone with an open mind). IIRC, it was Isaac Asimov who said, "Never try to teach a pig to sing. It wastes your time and annoys the pig". Don't argue with the pigs. Make NS the best it can be, and let those with awareness or an open mind use it, and let the morons become part of botnets, bank accounts drained, etc. </preach>

And thanks for the mention of SafeHistory. I became very active here too recently to have read the "old, old news", but installed it on your advice. I'm surprised it's not being actively maintained, being a product of the prestigious Stanford University, apparently. Perhaps someone that you trust could find a way to integrate this into NS, as you are so busy? I can find volunteers. :)

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Thanks as always.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Mon Jun 15, 2009 11:57 pm

Tom T. wrote:Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Yes.
But does anybody really do that?
It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix ;)
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Sniffing Browser History with NO Javascript

Post by Tom T. » Tue Jun 16, 2009 1:55 am

Giorgio Maone wrote:
Tom T. wrote:Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Yes.
But does anybody really do that?...

If you mean, "does anyone really clear all private data before going to the next site", the answer is yes. One person, at least (this one). Usually, by closing and re-starting the browser, which dumps the data and also Sandboxie empties the entire sandbox, in which the browser data were trapped anyway.

But if I understand you correctly, SafeHistory, which I just installed yesterday on your advice, defeats these attacks, so there is no more to worry about, correct?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Tue Jun 16, 2009 7:24 am

Tom T. wrote:But if I understand you correctly, SafeHistory, which I just installed yesterday on your advice, defeats these attacks, so there is no more to worry about, correct?

For this attack on your privacy, you're safe. But as luntrus pointed out, when you navigate from one site to another you tell the destination where you're coming from (Referer HTTP header, I use RefControl for that), and if you've got 3rd party cookies enabled you tell centralized entities a lot of stuff about what you're doing (use CS Lite for that).
On a side note, history sniffing could be (in a much more sophisticated way) be replicated by comparing load latencies and "guessing" if a certain resource come from your cache (visited) or not. Use "SafeCache" (which performs cache fragmentation just like SafeHistory does with history, from the same Stanford people) to defeat that.

Of course I would worry about one site guessing the sites I've visited from a fixed list only if I was a Chinese/Iranian blogger, an Al Qaeda turrist, an US citizen or under the dictatorship of a 72 years old dwarf clown who owns all the media in my country... oh wait :roll:
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Sniffing Browser History with NO Javascript

Post by Tom T. » Tue Jun 16, 2009 9:28 am

Giorgio Maone wrote:... But as luntrus pointed out, when you navigate from one site to another you tell the destination where you're coming from (Referer HTTP header, I use RefControl for that),

A long time ago, there was a tool called GuideScope that, among other things, stripped referrer headers. Will look at Ref Control, thanks.
and if you've got 3rd party cookies enabled

I don't. F2 = network.cookie.cookiebehavior=1 prevents all 3rd-party cookies, correct? Also, the most evil (about 12,000) are in Hosts, and so cannot communicate with the browser at all. I don't ever remember seeing a 3-P cookie in Fx Show Cookies.
On a side note, history sniffing could be (in a much more sophisticated way) be replicated by comparing load latencies and "guessing" if a certain resource come from your cache (visited) or not. Use "SafeCache" (which performs cache fragmentation just like SafeHistory does with history, from the same Stanford people) to defeat that.

Will do, thanks.
Of course I would worry about one site guessing the sites I've visited from a fixed list only if I was a Chinese/Iranian blogger, an Al Qaeda turrist, an US citizen or under the dictatorship of a 72 years old dwarf clown who owns all the media in my country... oh wait :roll:

We both are among that Venn set (category 3 here), but you left out his affair with the 18-year-old. And my entire country thanks yours for proving that we are not the only country whose politicians are corrupt sexual deviants who pass laws granting themselves immunity. :roll: Yes, the story made it here, since it has everything the US audience wants: sex, power, money, scandal, corruption, bribery, and a hot chick who calls him "Daddy". :P

EDIT: OK, now that we've had our fun at the expense of our politicians, I've looked at, and installed, both SafeCache and RefControl. The SafeCache test page was very impressive. If only you had a twin, your twin could make a test page for NS...

*Serious Suggestion*: Would you consider putting a sticky somewhere at the top of the Board Index, "Giorgio Maone's Recommended Tools For Increased Privacy'"? I might never have heard of these had it not been for the hackademix mention of SafeHistory and the discussion with luntrus. I'm sure many visitors would find this list interesting and useful. It might also be reprinted at NS Home Page -- you have an audience that is known to be interested in security, and recommending additional *free* privacy tools from other sources increases your credibility as being genuinely interested in the total welfare of your visitors.
Last edited by Tom T. on Tue Jun 16, 2009 10:10 am, edited 1 time in total.
Reason: added tools, feedback, suggestion
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Sniffing Browser History with NO Javascript

Post by luntrus » Tue Jun 16, 2009 7:20 pm

Hi Tom T.

A reply to your suggestion, a survey of these extensions/add-ons:
Privacy Description

FoxyProxy: https://addons.mozilla.org/nl/firefox/addon/2464 This will change automatically between proxyservers.
Proxilla: https://addons.mozilla.org/nl/firefox/addon/8113 Surf using proxyserver (experimental).
Torbutton: https://addons.mozilla.org/nl/firefox/addon/2275 Toggle the Tor function in Firefox.
BugMeNot: https://addons.mozilla.org/nl/firefox/addon/6349 Automatically logs in onto websites for existing accounts.
TabRenamizer: https://addons.mozilla.org/nl/firefox/addon/2987 Self-adjust name and logo of a tabpage.
Panic Button: https://addons.mozilla.org/nl/firefox/addon/6990 Hides all open tabs with one button.
No-Referer: https://addons.mozilla.org/nl/firefox/addon/1999 Let you open links without a HTTP referer header.
Toggle Private Browsing: https://addons.mozilla.org/nl/firefox/addon/9517 Let you start up Firefox by default in "Private Browsing" mode.
Tab Permissions: https://addons.mozilla.org/nl/firefox/addon/4757 Sets permissions for every tabpage.
Ghostery: https://addons.mozilla.org/nl/firefox/addon/9609 Looks for webbugs in webpages.
FireGPG: http://nl.getfiregpg.org/09 Encrypts/decrypts text incl. interface.
Distrust: https://addons.mozilla.org/nl/firefox/addon/1559 Removes surftracks.
Gmail S/MIME: https://addons.mozilla.org/nl/firefox/addon/592 Encrypts incoming and outgoing email in Gmail.
Stealther: https://addons.mozilla.org/nl/firefox/addon/1306 Surf anonymously.
SwitchProxyTool: https://addons.mozilla.org/nl/firefox/addon/125 Switch between proxyservers.
hideBad: https://addons.mozilla.org/nl/firefox/addon/1052 Quickly close tabs and deleting private data.
MailNull Now!: https://addons.mozilla.org/nl/firefox/addon/1105 Generate and keep (anonymous) e-mailaccounts.
SafeCache: https://addons.mozilla.org/nl/firefox/addon/1105 Cache Security.
SafeHistory: https://addons.mozilla.org/nl/firefox/addon/1502 History Security.
x (Paranoia) mod: https://addons.mozilla.org/nl/firefox/addon/1484 Deletes private data with through one button.
QuickProxy: https://addons.mozilla.org/nl/firefox/addon/1557 Toggle proxy with one button.
BrowseAtwork: https://addons.mozilla.org/nl/firefox/addon/2059 Circumvent a proxy at school or firm.
TrackMeNot: https://addons.mozilla.org/nl/firefox/addon/3173 Protect users against "dataprofiling".
Message Level Auth for Webmail: https://addons.mozilla.org/nl/firefox/addon/3203 Authenticates webmail at MessageLevel through PhishTank.
BetterPrivacy: https://addons.mozilla.org/nl/firefox/addon/6623 Deletes traces that are kept by e.g. Google and YouTube.

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090615 Shiretoko/3.5pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Sniffing Browser History with NO Javascript

Post by Tom T. » Wed Jun 17, 2009 12:07 am

Hi luntrus,

Thanks for taking the time to provide your extensive list. I'll check it out as time allows, as I expect not all will apply to all systems and users (no TOR here, e. g.,) and some may duplicate fuctions. But it is an interesting list, worthwhile to invesitgae.

I am, of course, still interested in Giorgio's recommended list as well .

Regards,
Tom
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Sniffing Browser History with NO Javascript

Post by luntrus » Wed Jun 17, 2009 8:46 am

Hi Tom T,

So am I, the list I presented is only privacy related. There is also a category of security related add-on's.
Complicating factor there is that some of these extensions may conflict with each other. So for instance Safe History and Safe Cache conflict with DrWeb's av link checker plug-in.
So an integration of various additionals to NoScript could be a way to go.
My personal cocktail is RefControl, Ghostery, CSP, finjan secure browsing, firekeeper (with several rules lists), JS view, NoScript, Perspectives, RequestPolicy, Local IP, FoxBeacon, Nightly Tester Tools, hackbar, CookieSafe, Javascript Deobfuscator, Developer Toolbar, ABP, Netcraft toolbar,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090616 Shiretoko/3.5pre

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Sniffing Browser History with NO Javascript

Post by tlu » Wed Jun 17, 2009 3:50 pm

Tom T. wrote: Will look at Ref Control, thanks.


I'm a long-time user of RefControl - a good tool, indeed. I think what its author wrote on http://www.stardrifter.org/refcontrol/#help :

Additionally, you can specify the default behavior for any site not in the list. You can set this to something other than Normal if you want to be more protective about your privacy. Setting it to Block for 3rd Party requests only is a fairly good compromise between privacy and not breaking sites. If you change the default behavior and then want a site to get sent the actual referrer, add it to the list and set it to Normal.


... is really a good advice.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090616 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre

Post Reply