I Know Where You Been and What You Done

07-10-10

NOTE: This article talks about a loophole that no longer exists in most major browsers. The information is still interesting, but don’t expect it to work anymore.

Your browser knows an amazing amount about your identity, where you go, and what you do. Every time you visit a page, the browser remembers it in the history. In theory, to protect your privacy, the sites you visit don’t have access to this history information. In practice, it is actually possible to get at part of it. To prove my point, let’s look at the sites you do and don’t visit:



Social Sites You Use Sites You Don’t

So I know you use certain sites. Big deal. Does it really matter? Yes and no.

Let’s suppose I have an evil plot to take over the world, but to pull it off I need the usernames and passwords for 1,000,000 Facebook, Twitter, or MySpace accounts. I might set up a web page to give away $1,000,000 to a lucky random visitor. To lend credibility, I actually set up the real sweepstakes and put the money in escrow so people can confirm that it’s legit ($1,000,000 is a small price to pay for world domination.) People get excited, the news spreads, and millions of people visit my site and enter their email address. So far, all I have is a list of millions of email addresses, but suppose for a moment that the site also detects which social networking sites each person uses, and keeps track of that information. When they submit their email address, the site stores it with the social networking site information. Now, I could send careful phishing emails to each person, attempting to coerce them into disclosing their password. Being able to guarantee that the email sent is for the right social site dramatically increases the odds of success, and reduces the odds of being discovered. I’m several times more likely to achieve world domination.

Now let’s suppose my sinister and evil twin looks at this plot. He doesn’t want to rule the world, but money get’s him really excited. He looks at my evil plan, and determines that he could do it with banks. Bait people with a giveaway, then send phishing emails targeted for their online banking system. Use a portion of the stolen money to pay the sweepstakes, and pocket the rest. Brilliant.

Aren’t you glad I don’t have a sinister and evil twin?

So why the heck is a security issue like this still around? The first reason is that it isn’t really a security issue. It can be used to focus phishing emails or other social engineering attacks, but knowing the history doesn’t actually do anything alone. Anyone could still attempt the same attack without it, and even with it, they’ll only get the people who aren’t being careful (or who don’t know enough to be careful). All this does is give the attacker a way to send fewer spam/phishing emails (arguably not a bad thing.)

The second reason is that it can’t be fixed without breaking things. The detection works by using the css :visited pseudo-class to check for common URLs. The :visited pesudo-class is used in website designs all over the web and at this point is an important part of web usability. We’ve grown so accustomed to :visited links, that we don’t even remember how useful they are sometimes. Suppose you found a site last week and you want to get back, but you don’t remember exactly what it was called. You run to Google and plug in a quick search. Even if that site isn’t the top result, you’ll recognize it, because the link is purple, not blue. That’s a :visited link.

There are some proposals out for dealing with this, and it looks like the next versions of Chrome and Firefox may include fixes. I’m actually disappointed about that. No, it’s not that my plans of world domination will be shot (I can live with that.) I’m disappointed because I feel that this is a valuable and legitimate tool, and I see incredible potential for it.

Legitimate? How so? Below every post on this site, there is a row of bookmarking links. Bookmarking links are cool. So cool, that there are 100+ different bookmarking sites that people might use. Nobody wants to play Where’s Waldo with bookmarking logos, so I wrote a script that removes any bookmarking sites that the visitor doesn’t use. If you look at the bookmarking links on this site, the logos will be familiar, because these are the sites you use.

The value of this “flaw”, is the ability to tailor content to specific users based on where they go, and what they do. Imagine a web, where ads always show products you actually want or need. Imagine sites that only give you relevant information about their products. Imagine every “Digg this”, replaced with “Tweet this”. Imagine a better web, with better communication. Imagine a web that literally revolves around you.

But no, sadly, this web will be thoughtlessly murdered as an infant, because a few people are afraid it could be used to assist criminals. If we’d had that kind of thinking 30 years ago, would would have no internet, no email, and no personal computers.

Related Links

http://www.whattheinternetknowsaboutyou.com/top5k (This one really is cool)
http://www.azarask.in/blog/post/socialhistoryjs/ (A basic article on the concept, but the implementation on that site is broken)

This entry was posted on Saturday, July 10th, 2010 at 8:35 pm and is filed under Impossible Things, Programming, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “I Know Where You Been and What You Done”

  1. Ben July 12th, 2010 at 5:27 pm

    Firefox + NoScript for the privacy win! I had never thought of detecting link color to accomplish this. Kind of ingenious, actually.

  2. John Crenshaw July 15th, 2010 at 10:00 am

    Actually, NoScript won’t save you. I can do it with pure CSS. In fact, using just CSS I could even send data to a remote server indicating which sites were in your history.

Leave a Reply

 
WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera