Doesn't appear to guess correctly in Chrome 15 on OS X (10.7.2). I'm not sure exactly what the 'whoops' means for google - but I've obviously visited HN and have visited a few of the others as well.
Note that it doesn't need to be 100% accurate to be effective. If it guesses better than 50% (i.e. coin flip), then it could be used to give guesses with at least some confidence. No different than analyzing any other noisy dataset. Because this all works client-side, it can also be done quite invisibly.
I was under the impression that attempts had been made to hide any effects of :visited styles on the accessible DOM to stop this from working. There's a particularly good article on Mozilla's attempts [1], and the relevant bug on Bugzilla. [2]
Right, but those applications will be for things like online advertising, which is already tracking your visits and/or just assuming you use the popular sites anyway. Can this be used to violate privacy in a meaningful manner if it misses 50% or more of the time? You'd have complete plausible deniability if you were pinned to have accessed some site you don't want people to know you accessed. It can't be used as evidence in anything. What would the threat look like?
I oppose user tracking not necessarily because there's something to hide, but because a sense privacy is a fundamental component of a sense of independence, and for me, independence is one of the critical components of happiness.
If the question is "Has this user visited site X?" then I'd hope that any kind of modelling is better than 50%, as simulating a coin toss would be at least as good.
Same here, although I visited multiple sites listed in the very same session on the browser I have open, the tool only reported one as visited, and Google as a Whoops.
It should have reported at least 6 more!
I get what you're saying, but if the technique really worked, I'd expect it to have told me the sites I frequently visit on the first run and a 100% score on the second run, but it was only like 80% of that.
same here. funny thing is that all correct matches were for sites actually opened in another tab and it even missen facebook which was also open in some tab.
From the 5 sites I visited, it correctly flagged HN, WP and YT as visited, and gave a "whoops" for FB and Google (what does that mean?), which I both visited.
Not even close, too. Instead of measuring load time, you can create "<a>" elements verify their rendered color is the color you defined for visited links. It's a trick of old times...
Really interesting concept. This one wasn't as accurate for me as the original Firefox-specifc proof of concept, though. It only picked up on YouTube and Wikipedia. What's with the "whoops" on Google?
I do use NoScript and Ghostery, though, and I could see how that might cause some false negatives.
as mentioned elsewhere in this thread, that loophole has been closed by all modern browsers. not to say there aren't other ways to get at that information, but it's not as simple as checking the color of a link anymore.
What would be a possible use of this attack? I can't think of anything useful you'd do with knowing that you've visited Facebook. And so many people use sites like Facebook you might get a better success rate just always returning "visited" rather than measuring this way!
Maybe you could use it to only show those social sharing widgets that are for services the visitor actually uses. Though I guess WebIntents will eventually be a better way to handle that.
Ad retargeting without going through one of the high-reach ad networks. Or any product site instantly knowing which competitors you've researched, and tailoring their pricing to that.
Apparently the key to people not knowing where you visited is to use IE. It missed sites like Twitter and Facebook that are open for me all the time. It did get one site correct, HN ;<).
97 comments
[ 12.1 ms ] story [ 210 ms ] threadhttp://dispatched.ch/pic/visipisi-20111203-214939.jpg
Best of luck, it's an interesting concept!
Screenshot: http://cl.ly/1i0921270W2b1u190b0W
Note that it doesn't need to be 100% accurate to be effective. If it guesses better than 50% (i.e. coin flip), then it could be used to give guesses with at least some confidence. No different than analyzing any other noisy dataset. Because this all works client-side, it can also be done quite invisibly.
http://ajaxian.com/archives/spyjax-using-avisited-to-test-yo...
[1]: http://dbaron.org/mozilla/visited-privacy
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=147777
The first time, I had one 'visited', the second time about half were 'visited'. I'm surprised not all of them were, though...
Chromium on Linux
So your cache will end up with images from each of those sites.
I do use NoScript and Ghostery, though, and I could see how that might cause some false negatives.
come on...
The first try was pretty correct though.
That's probably due to me blocking facebook and twitter widgets on sites other than Fb and twitter though.
script FAIL !