W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: Detecting Browser History from Schneier on Security

From: Mark S. Miller <erights@google.com>
Date: Fri, 21 May 2010 07:52:37 -0700
Message-ID: <AANLkTinPLFQjJnrr2PVDUvPjgf5JUIQ0PqLn45X9C5yq@mail.gmail.com>
To: Dan Brickley <danbri@danbri.org>
Cc: Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org
On Fri, May 21, 2010 at 6:31 AM, Dan Brickley <danbri@danbri.org> wrote:

> On Fri, May 21, 2010 at 3:19 PM, Jonathan Rees <jar@creativecommons.org>
> wrote:
> > re ISSUE-31 (metadata in URI), sub-issue secrets-in-URIs
> >
> > http://www.schneier.com/blog/archives/2010/05/detecting_brows.html
> > "All major browsers allow their users' history to be detected"
> >
> > Note
> > (a) this confirms the claim made in TAG discussion that URIs that one
> > navigates to are sometimes not well protected
> > (b) it is taken for granted that this is a bug (privacy breach) that
> > needs to be fixed, and that can be (i.e. the FF developers think that
> > protecting URIs is "best practice")
> >
> > If I understand correctly the attack only applies to guessable URIs.
> Not exactly. Firstly, guessable here just means public.

Hi Dan, what do you mean by "guessable" and "public"? As you explain below,
the attack does work against what I would call guessable non-public URIs.
However, your other point below does suggest modifying Jonathan's statement

    the attack only applies to guessable URIs, or to URIs that can be found
by navigating from guessable URIs.

This seems a good clarification.

> You can crank
> through a lot rather quickly --
> http://static.whattheinternetknowsaboutyou.com/results.html reports...
>  "The ability to detect visitors' browsing history requires just a few
> lines of code. Armed with a list of websites to check for, a malicious
> webmaster can scan over 25 thousand links per second (1.5 million
> links per minute) in almost every recent browser."
> Secondly, once you've got a top-level entry point into the user's
> history, you can scan the links on that Web page for other documents
> to check. So the scanner might initially check for http://playboy.com/
> but once it gets a match, it can navigate the link structure of
> playboy all the way to
> http://playboy.com/fetishes/markuplanguages/html5/dom/strict or
> whatever, step by step, testing each step as it goes.
> Amazing how long this hole has been open really. See also
> http://ajaxian.com/archives/socialhistoryjs-more-spyjax
> cheers,
> Dan

Received on Friday, 21 May 2010 14:53:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:34 UTC