Sniffing Browser History with NO Javascript

[phule]

There's a link to an interesting article called 'Sniffing Browser History with NO Javascript' on http://slashdot.org at http://www.making-the-web.com/misc/site ... isit/nojs/ The article claims that NoScript won't defeat this method.

[Giorgio Maone]

Really really old news. As I already repeatedly commented on the Mozilla bug, the SafeHistory way is the only feasible approach.

[Alan Baxter]

http://hackademix.net/2009/05/08/start- ... ment-12556

But since it’s possible, even though slow and unpractical, performing the same trick without using JavaScript, the only full-blown protection is SafeHistory

[luntrus]

Hi Alan Baxter,

How this privacy-leakage is performed is very simple. The only thing a website needs to do is loading a hidden iframe with many, many links. Whenever a link has been visited before, a background pre-defined inside the CSS is loaded. This "background" will log the information and will save it accordingly. This page shows the attack as it evolves:
http://www.making-the-web.com/misc/site ... isit/nojs/
But it can also be done on a "normal" page using viewstate.

Edit:webdeveloper does not offer a possibility to globally set n overruling css, the Fx plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make the following (global) style:

Code: Select all

a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
} 

O.K. that works, but there is yet another way to block this with an extension, named: RefControl. There you can set globally and on a per site basis what the referring header should be. This could be for instance enforce root of the site (block third party- etc.), so for example htxp://www.asIlike_tosee it. com/ and it that will hamper functionality sometimes the real referrer.

There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore,
So there are more ways to kill the proverbial cat,

It is a pity that we have to be educated about all the possibilities (like Giorgio and some others here) to be protected against these issues,

luntrus

[Giorgio Maone]

the Fx plugin Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) can. Make the following (global) style:

Code: Select all

a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
} 

O.K. that works,

No it doesn't, for instance:

Code: Select all

#playboy:visited span { bakground-image: url(/log.php?url=playboy.com) }
#google:visited > div { list-style-image: url(/log.php?url=google.com) }

and their infinite variations.

but there is yet another way to block this with an extension, named: RefControl

Absolutely not. The HTTP Referer header has nothing to do with history sniffing.

There is also a third way namely to block all Meta Redirects then this sniffing also does not function anymore,

Sorry, that's incorrect too. This trick is not related to Meta Redirects either.

So there are more ways to kill the proverbial cat,

Unluckily not.
I've considered adding some protection against this "attack" three years ago, when it was "revealed" by my friend Jeremiah Grossman.
However I gave up because there was no "simple" solution as everyone who see this for the first time (or see it again after forgetting about it) seem to believe.
The only effective approach, as I said multiple times, is SafeHistory. Period.
If SafeHistory stops being actively developed (as it seems), I can consider taking over its development and/or integrate it in NoScript, but I've got to find the time: NoScript's TODO list is nearly infinite, despite some moronic slanders which some people keep spreading...

[luntrus]

Hi Giorgio Maone,

Good I posted this, because some wrong assumptions I have found were debunked. Thank you so much for setting the record straight,

polonus

[Tom T.]

@Giorgio: Please ignore the moronic slanders and stay focused on what you are doing with NoScript. Then, "res ipsa loquitur" (it will speak for itself... to anyone with an open mind). IIRC, it was Isaac Asimov who said, "Never try to teach a pig to sing. It wastes your time and annoys the pig". Don't argue with the pigs. Make NS the best it can be, and let those with awareness or an open mind use it, and let the morons become part of botnets, bank accounts drained, etc. </preach>

And thanks for the mention of SafeHistory. I became very active here too recently to have read the "old, old news", but installed it on your advice. I'm surprised it's not being actively maintained, being a product of the prestigious Stanford University, apparently. Perhaps someone that you trust could find a way to integrate this into NS, as you are so busy? I can find volunteers.

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Thanks as always.

[Giorgio Maone]

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Yes.
But does anybody really do that?
It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).

[Tom T.]

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Yes.
But does anybody really do that?...

If you mean, "does anyone really clear all private data before going to the next site", the answer is yes. One person, at least (this one). Usually, by closing and re-starting the browser, which dumps the data and also Sandboxie empties the entire sandbox, in which the browser data were trapped anyway.

But if I understand you correctly, SafeHistory, which I just installed yesterday on your advice, defeats these attacks, so there is no more to worry about, correct?

[Giorgio Maone]

But if I understand you correctly, SafeHistory, which I just installed yesterday on your advice, defeats these attacks, so there is no more to worry about, correct?

For this attack on your privacy, you're safe. But as luntrus pointed out, when you navigate from one site to another you tell the destination where you're coming from (Referer HTTP header, I use RefControl for that), and if you've got 3rd party cookies enabled you tell centralized entities a lot of stuff about what you're doing (use CS Lite for that).
On a side note, history sniffing could be (in a much more sophisticated way) be replicated by comparing load latencies and "guessing" if a certain resource come from your cache (visited) or not. Use "SafeCache" (which performs cache fragmentation just like SafeHistory does with history, from the same Stanford people) to defeat that.

Of course I would worry about one site guessing the sites I've visited from a fixed list only if I was a Chinese/Iranian blogger, an Al Qaeda turrist, an US citizen or under the dictatorship of a 72 years old dwarf clown who owns all the media in my country... oh wait

[Tom T.]

... But as luntrus pointed out, when you navigate from one site to another you tell the destination where you're coming from (Referer HTTP header, I use RefControl for that),

A long time ago, there was a tool called GuideScope that, among other things, stripped referrer headers. Will look at Ref Control, thanks.

and if you've got 3rd party cookies enabled

I don't. F2 = network.cookie.cookiebehavior=1 prevents all 3rd-party cookies, correct? Also, the most evil (about 12,000) are in Hosts, and so cannot communicate with the browser at all. I don't ever remember seeing a 3-P cookie in Fx Show Cookies.

On a side note, history sniffing could be (in a much more sophisticated way) be replicated by comparing load latencies and "guessing" if a certain resource come from your cache (visited) or not. Use "SafeCache" (which performs cache fragmentation just like SafeHistory does with history, from the same Stanford people) to defeat that.

Will do, thanks.

Of course I would worry about one site guessing the sites I've visited from a fixed list only if I was a Chinese/Iranian blogger, an Al Qaeda turrist, an US citizen or under the dictatorship of a 72 years old dwarf clown who owns all the media in my country... oh wait

We both are among that Venn set (category 3 here), but you left out his affair with the 18-year-old. And my entire country thanks yours for proving that we are not the only country whose politicians are corrupt sexual deviants who pass laws granting themselves immunity. Yes, the story made it here, since it has everything the US audience wants: sex, power, money, scandal, corruption, bribery, and a hot chick who calls him "Daddy".

EDIT: OK, now that we've had our fun at the expense of our politicians, I've looked at, and installed, both SafeCache and RefControl. The SafeCache test page was very impressive. If only you had a twin, your twin could make a test page for NS...

*Serious Suggestion*: Would you consider putting a sticky somewhere at the top of the Board Index, "Giorgio Maone's Recommended Tools For Increased Privacy'"? I might never have heard of these had it not been for the hackademix mention of SafeHistory and the discussion with luntrus. I'm sure many visitors would find this list interesting and useful. It might also be reprinted at NS Home Page -- you have an audience that is known to be interested in security, and recommending additional *free* privacy tools from other sources increases your credibility as being genuinely interested in the total welfare of your visitors.

[luntrus]

Hi Tom T.

A reply to your suggestion, a survey of these extensions/add-ons:
Privacy Description

FoxyProxy: https://addons.mozilla.org/nl/firefox/addon/2464 This will change automatically between proxyservers.
Proxilla: https://addons.mozilla.org/nl/firefox/addon/8113 Surf using proxyserver (experimental).
Torbutton: https://addons.mozilla.org/nl/firefox/addon/2275 Toggle the Tor function in Firefox.
BugMeNot: https://addons.mozilla.org/nl/firefox/addon/6349 Automatically logs in onto websites for existing accounts.
TabRenamizer: https://addons.mozilla.org/nl/firefox/addon/2987 Self-adjust name and logo of a tabpage.
Panic Button: https://addons.mozilla.org/nl/firefox/addon/6990 Hides all open tabs with one button.
No-Referer: https://addons.mozilla.org/nl/firefox/addon/1999 Let you open links without a HTTP referer header.
Toggle Private Browsing: https://addons.mozilla.org/nl/firefox/addon/9517 Let you start up Firefox by default in "Private Browsing" mode.
Tab Permissions: https://addons.mozilla.org/nl/firefox/addon/4757 Sets permissions for every tabpage.
Ghostery: https://addons.mozilla.org/nl/firefox/addon/9609 Looks for webbugs in webpages.
FireGPG: http://nl.getfiregpg.org/09 Encrypts/decrypts text incl. interface.
Distrust: https://addons.mozilla.org/nl/firefox/addon/1559 Removes surftracks.
Gmail S/MIME: https://addons.mozilla.org/nl/firefox/addon/592 Encrypts incoming and outgoing email in Gmail.
Stealther: https://addons.mozilla.org/nl/firefox/addon/1306 Surf anonymously.
SwitchProxyTool: https://addons.mozilla.org/nl/firefox/addon/125 Switch between proxyservers.
hideBad: https://addons.mozilla.org/nl/firefox/addon/1052 Quickly close tabs and deleting private data.
MailNull Now!: https://addons.mozilla.org/nl/firefox/addon/1105 Generate and keep (anonymous) e-mailaccounts.
SafeCache: https://addons.mozilla.org/nl/firefox/addon/1105 Cache Security.
SafeHistory: https://addons.mozilla.org/nl/firefox/addon/1502 History Security.
x (Paranoia) mod: https://addons.mozilla.org/nl/firefox/addon/1484 Deletes private data with through one button.
QuickProxy: https://addons.mozilla.org/nl/firefox/addon/1557 Toggle proxy with one button.
BrowseAtwork: https://addons.mozilla.org/nl/firefox/addon/2059 Circumvent a proxy at school or firm.
TrackMeNot: https://addons.mozilla.org/nl/firefox/addon/3173 Protect users against "dataprofiling".
Message Level Auth for Webmail: https://addons.mozilla.org/nl/firefox/addon/3203 Authenticates webmail at MessageLevel through PhishTank.
BetterPrivacy: https://addons.mozilla.org/nl/firefox/addon/6623 Deletes traces that are kept by e.g. Google and YouTube.

luntrus

[Tom T.]

Hi luntrus,

Thanks for taking the time to provide your extensive list. I'll check it out as time allows, as I expect not all will apply to all systems and users (no TOR here, e. g.,) and some may duplicate fuctions. But it is an interesting list, worthwhile to invesitgae.

I am, of course, still interested in Giorgio's recommended list as well .

Regards,
Tom

[luntrus]

Hi Tom T,

So am I, the list I presented is only privacy related. There is also a category of security related add-on's.
Complicating factor there is that some of these extensions may conflict with each other. So for instance Safe History and Safe Cache conflict with DrWeb's av link checker plug-in.
So an integration of various additionals to NoScript could be a way to go.
My personal cocktail is RefControl, Ghostery, CSP, finjan secure browsing, firekeeper (with several rules lists), JS view, NoScript, Perspectives, RequestPolicy, Local IP, FoxBeacon, Nightly Tester Tools, hackbar, CookieSafe, Javascript Deobfuscator, Developer Toolbar, ABP, Netcraft toolbar,

luntrus

[tlu]

Will look at Ref Control, thanks.

I'm a long-time user of RefControl - a good tool, indeed. I think what its author wrote on http://www.stardrifter.org/refcontrol/#help :

Additionally, you can specify the default behavior for any site not in the list. You can set this to something other than Normal if you want to be more protective about your privacy. Setting it to Block for 3rd Party requests only is a fairly good compromise between privacy and not breaking sites. If you change the default behavior and then want a site to get sent the actual referrer, add it to the list and set it to Normal.

... is really a good advice.