Re: Your Web Surfing History is Accessible (without your Permission) via JavaScript from David Singer on 2010-12-07 (public-privacy@w3.org from October to December 2010)

From: David Singer <singer@apple.com>
Date: Tue, 7 Dec 2010 11:00:17 -0600
To: public-privacy@w3.org
Message-Id: <A5785F0D-8C38-4067-B738-5FD3A96BB993@apple.com>

When we introduced link-visited styling it seemed obvious and benign, and only later did we realize the privacy implications.  For me, this incident is the poster-child that should force us to ask "what are the privacy consequences of doing a straightforward implementation of a W3C specification?"  The answer in the case of link-visited are incidents like the one below. 

Explicitly, what kind of review of CSS3 or HTML5 is being done, to see whether there are lurking problems like this one?

On Dec 6, 2010, at 17:54 , SULLIVAN, BRYAN L (ATTCINW) wrote:

> This depends upon a CSS hack which has been a know vulnerability for about 10 years. At least Safari has implemented protections against it, and I hope that other browser do soon also.
> 
>  
> 
> It can tell which sites you’ve been to only by checking against a specific list of domains, by checking the color assigned to a link for each site, for which it creates anchors, sniffs, then deletes. Many examples exist.
> 
>  
> 
> Thanks,
> 
> Bryan Sullivan | AT&T
> 
>  
> 
> From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org] On Behalf Of Perez, Aram
> Sent: Monday, December 06, 2010 3:30 PM
> To: public-privacy@w3.org
> Subject: Your Web Surfing History is Accessible (without your Permission) via JavaScript
> 
>  
> 
> The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.
> 
>  
> 
> The researchers documented JavaScript code secretly collecting browsing histories of Web users through “history sniffing” and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.
> 
>  
> 
> The rest of the story at http://ucsdnews.ucsd.edu/newsrel/science/11-02WebSurfingHistory.asp.
> 
>  
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 7 December 2010 17:00:52 UTC