33 comments

[ 3.2 ms ] story [ 85.0 ms ] thread
Great but I would be really interested if someone could demonstrate an application deriving some real world use out of these information. Seen many demos of this browser sniffing but is any one using it for real?
it could be useful in targeting ads, i.e. tracking users other website habits to show them much more relevant ads.

Let's say HN has ads. And it sees that you just came from a Python tutorial site. Instead of showing you a random programming book, the ad would show you a series of Python books.

Let's say you're a staffer for a Republican congressman, and I'm an innocuous web page you've visited. Oh, look! You've visited a lot of gay pornography sites! I think I'd like you to start paying me $50 a month now, so I can "protect" you from negative publicity.
Funny, I thought that only the left could be gay.
No both sides can, it's the Left that admits it.
I can't say I've ever met a gay republican... Anyways you simply aren't a republican if you're gay.
Because a Democratic congressman wouldn't have any political problems whatsoever if found to have visited gay porn sites. :)
I didn't give much thought to this example but I think it makes the point OK.
Actually, in targeting, user's short term interests are much more valuable than the long term interests. If a visitor is on HN, you would already know his immediate interests. Knowing that he came from a Python tutorial site, that too you can't say if he is regular there or one and off, would provide marginal value which is hard to justify.
Is there any A/B testing that backs this notion up?
You may have missed the point. Building an application around this would be a mistake, since this is a vulnerability that needs to be fixed. There is no way it can be OK for random site visitors to disclose a profile of other URLs they've visited.
just because it shouldn't be done...doesn't mean people aren't going to use it to make money. and how long have browser people known about this and done nothing? this will be a privacy issue for many years to come.
It's hard to fix without breaking things, so, unfortunately, we're going to have to wait for something very bad to happen before it gets fixed.
That's not the point. He is warning not to build an application on this vulnerability as it will be patched soon, rendering the application useless and your time wasted.
I saw someone made a version of one of those "Share It!" links that only showed ones it sniffed (with others accessible by a one-click menu).
Can work great for competitor analysis as well...
I suggested using it for OpenID IDP discovery. e.g. if a site knows that you use Yahoo, it could show you a "log in with Yahoo" button.
This shouldn't be news, since nothing about the original flaw --- which is years old --- involved Javascript.
Also, this exact method (css background) was mentioned last time the js version came up on hacker news. How many more times will this be posted?
I seem to have missed all the previous times it was posted :-(

I am surprised that the browser try to be smart about loading images defined in the CSS.

All the previous demos I'd seen used JS to observe link colors, so this was news to me.
So... this browser thing, actually -is- gathering analytics from anyone who visits it. :P
(comment deleted)
It'd be nice if NOSCRIPT could have an option like: "Don't share my browser history with this site". If that option were on, the page just wouldn't have any 'visited' links at all. I could live with that.
> It'd be nice if NOSCRIPT could have an option like

'NOSCRIPT' -> 'browsers'

Isn't the utility of the technique watered down by the fact that the attacker has to precompile a list of addresses? Anything not in that list won't be mined.
Great, so now there's recurring revenue in it for the business that sells subscriptions to targeted lists.
You can protect yourself against this by disabling a:visited. Here's a Firefox plugin that does it intelligently, without breaking the functionality on sites where you actually clicked a link.

http://safehistory.com/

If you're upset about this, wait until you hear about Google Analytics...