Re: Detecting Browser History from Schneier on Security

On Fri, May 21, 2010 at 3:19 PM, Jonathan Rees <jar@creativecommons.org> wrote:
> re ISSUE-31 (metadata in URI), sub-issue secrets-in-URIs
>
> http://www.schneier.com/blog/archives/2010/05/detecting_brows.html
> "All major browsers allow their users' history to be detected"
>
> Note
> (a) this confirms the claim made in TAG discussion that URIs that one
> navigates to are sometimes not well protected
> (b) it is taken for granted that this is a bug (privacy breach) that
> needs to be fixed, and that can be (i.e. the FF developers think that
> protecting URIs is "best practice")
>
> If I understand correctly the attack only applies to guessable URIs.

Not exactly. Firstly, guessable here just means public. You can crank
through a lot rather quickly --
http://static.whattheinternetknowsaboutyou.com/results.html reports...

 "The ability to detect visitors' browsing history requires just a few
lines of code. Armed with a list of websites to check for, a malicious
webmaster can scan over 25 thousand links per second (1.5 million
links per minute) in almost every recent browser."

Secondly, once you've got a top-level entry point into the user's
history, you can scan the links on that Web page for other documents
to check. So the scanner might initially check for http://playboy.com/
but once it gets a match, it can navigate the link structure of
playboy all the way to
http://playboy.com/fetishes/markuplanguages/html5/dom/strict or
whatever, step by step, testing each step as it goes.

Amazing how long this hole has been open really. See also
http://ajaxian.com/archives/socialhistoryjs-more-spyjax

cheers,

Dan

Received on Friday, 21 May 2010 13:31:35 UTC