Why DO browsers (Fx) allow sites to "see" history_from visited links color

Discussion in 'privacy problems' started by phkhgh, Sep 13, 2012.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    How / why is it possible for sites / "others" to figure out which sites / links were visited, when Fx is set to change color of visited links? IOW, why is this allowed?
    Other than constantly clearing history, is there any way / addon, etc., to allow changing visited links color & NOT give sites access to links visited on OTHER sites?

    For a long time, this "problem" was apparently not widely known, as advanced users frequently posted workarounds to force Fx to change visited links color (if they didn't change automatically); such as adding command to userContent.css. Mods read those posts & also apparently weren't aware of privacy side effects (nor was anyone else).

    Why would developers allow ANY persistent Fx / other browsers settings that potentially enable sites to see all sites / links users visited (that are still in their history)?
    What makes it so difficult for devs to prevent this from happening & why has it taken so long to address the issue?

    For many users, if "change visited link color" is effectively disabled, it reduces browser function tremendously, like on sites w/ long lists of articles, etc. Quite a conundrum.
    MANY sites / articles discuss this issue. One link from another poster- article by David Baron, Mozilla Corporation: https://hacks.mozilla.org/2010/03/priva ... /#comments
    Another "reliable" site says: https://hacks.mozilla.org/2010/03/priva ... /#comments
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's incredibly useful for websites to know how users are getting to them. Though I may be confusing what issue you're trying to talk about.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    He's not talking about referrers. It's about reading your whole history with js.

    I thought that vulnerability was patched, at least by Mozilla. Now i don't know.
     
  4. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
  5. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Yes, Pedro - you're correct. Recent posts I've read indicated that issue may NOT be fixed, but I can't find anything official, saying that.

    SirDrexl, sorry - but don't do India sites. Can you summarize?

    I still don't understand why browsers would implement designs that allow sites to read users' history. Having visited links change color is an extremely useful feature to many users.

    Has anyone else read about any fixes actually implemented?
    This privacy bug was around for yrs.

    Maybe that LONG standing issue is fixed - sometimes official release notes don't mention things, or are worded so strangely, doesn't register for most users. I'll look again / try searching bugzilla, but searches often fail, even when there's a perfect match.
     
  6. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Well, it's a script that checks for visited links to certain sites, in order to show the social networking buttons that would be relevant to a visitor.

     
  7. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    SirDrexl, that's basically what the other links I listed said.
    Obviously, some sites & Moz devs talked about possible fix, but I never heard / read it was implemented. Have you? I read all changes / fixes for every Fx release.

    On another very large (not security focused) site, I got a lot of clueless replies. "Who cares if they see where you've been." "I could care less if someone using my computer sees what sites I visited." Some thought sites could only see links on their own site, or if could see other sites' links, wouldn't be able to figure out which SITES you visited.

    It reminds me of answers if asking middle schoolers, "How many ways can STDs be transmitted."

    Some are clueless & some don't understand the potential problems this could create for users looking for medical, legal advice; live in repressive country & want to read sites on democracy. I could go on.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  9. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    This appears to be orig. bugzilla report, in 2002. Bug 147777 - :visited support allows queries into global history. They're STILL discussing it on Bugzilla today (Jun 2012) - TEN YEARS. Seems there may still be some concerns & branch bug reports, having to do w/ CSS & page display, that could be exploited.

    Pedro - I see that issue mentioned in Fx 4.0 release notes, saying it was fixed, but they're still discussing issues surrounding bug 147777 (on the orig. bug report).

    After it took 8 - 10 yrs to fix an issue many would consider a major privacy concern, my gut says if you're concerned about real privacy, better use a good proxy, Tor or some equivalent - at least for important stuff. Depending on a browser(s) devs to protect your privacy isn't a good bet.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    As I recall, that specific history leak was fixed. However, sites can still probe your cache.
     
  11. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    i think you can use about:config in Firefox to prevent clicked links from having a different color, i'm not sure which one it is though. i searched "visited" and there is "browser.visited_color" and also "layout.css.visited_links_enabled;false"

    but i thought there used to a setting somewhere in Tools >> Options that would stop the link from changing colors.

    ----------------------------------------------

    in Opera its there in Settings >> Preferences >> Webpages, and allows you to select the colors of the "Normal Link Color" and "Visited Link Color", interesting that the "Normal Link Color" is a custom blue color so you have to input numbers to match it in "Visited Link Color" or just select a different standard color that matches for each. Not sure if thats happenstance or they want to make it difficult for a reason.

    ---------------------------------------------

    btw, there's a reason these things don't get fixed - all of these browser companies make their money indirectly from the tracking and profiling that goes on, so they're in on it. They don't want you to be able to browse the net anonymously because their revenue stream will dry up.
     
    Last edited: Sep 14, 2012
  12. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Yes, Mirimir - I said after (much) research, found they appeared to fix issue of pages using changed color links to "discern" all the links you'd visited, by SUPPOSEDLY changing the CSS info Fx would pass to them (but now, visited link color change doesn't work - well, if at all - for me & many others.)
    Iiiii don't like probing... bothers my hems. OK, how do they probe your (entire) cache? Though I may have read something on it, don't remember.

    Many users have disk cache enabled - I don't - have plenty of fast RAM & fast CPU. Still interested for spouse's laptop.

    Snoop 3 - An interesting idea. How exactly would Mozilla get paid from sites that saw which links you visited & therefore, knew which sites you'd vistited? It's not like they have a contract w/ every site. (Are U Snoop Dog's 3rd "double"?)
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    There used to be 2 extension that i think covered these issues, SafeHistory and SafeCache.
    Noscript was supposed to address these issues, or Firefox, but i'm not sure how that went.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    -http://lcamtuf.coredump.cx/cachetime/-

    -http://oxplot.github.com/visipisi/visipisi.html-
     
Loading...
Thread Status:
Not open for further replies.