This is a personal blog. My other stuff: book | home page | Twitter | CNC robotics | electronics

December 02, 2011

CSS :visited may be a bit overrated

OK, second time is a charm. This script is probably of some peripheral interest: In the past two years or so, a majority of browser vendors decided to take a drastic step of severely crippling CSS :visited selectors in order to prevent websites from stealing your browsing history.

It is widely believed that techniques such as cache timing may theoretically offer comparable insights, but the attacks demonstrated so far seemed unconvincing. Among other faults, they relied on destructive, one-shot testing that altered the state of the examined cache; produced only probabilistic results; and were far too slow and noisy to be practically useful. Consequently, no serious attempts to address the underlying weakness have been made.

My proof of concept is fairly crude, and will fail for a minority of readers; but in my testing, it offers reliable, high-performance, non-destructive cache inspection that blurs the boundary between :visited and all the "less interesting" techniques.

4 comments:

  1. With a recent expansion of my laptop's memory I made chromium (on Linux) store it's cache on tmpfs (in memory) and I'm not 100% sure that this fact could influence the outcome of this script significantly, but it seems it didn't; it still works in finding out quite accurately which sites I had visited, and which I haven't.

    ReplyDelete
  2. Sorry for the "late" replay - but instead of using JS/CSS why not take the favicon.ico - witch has always(?) the same URL, and will be cached 9.999% of all webpages (e.g. 1 month at facebook.com)?

    ReplyDelete
    Replies
    1. I actually attempted this a few months ago (https://github.com/bloudermilk/scarlet) and found that Chrome maintains a distinct cache for each requesting host. A request for www.reddit.com/favicon.ico from www.mysite.com didn't use the cache, even though I had visited Reddit many times before.

      Delete
    2. I'm pretty sure that the original proof-of-concept still works, it just checks for JS / CSS assets that are no longer used by the sites. If you view source and hit 5-10 of the URLs visible in there in a new window, you should get matching hits (at least I do, YMMV - it may be that you'd need to adjust the timings).

      Delete