Tuesday, December 7, 2010

What You Should Know About History Sniffing

History Sniffing is a term used for Web sites that run simple Javascript tricks to snoop into visitors’ Web browsing history. These tricks are nothing new, but they are in the news again, so it’s a good time to remind you about ways to combat this sneaky behavior.

The recent news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.

This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.

These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise.

As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack. Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web site developers to query whether site visitors had previously visited up to 50 specific URLs.

Fortunately, the browser makers (most of them) have responded. These sniffing attacks do not appear to work against the latest versions of Chrome and Safari. Within Mozilla Firefox, these script attacks can be blocked quite easily using a script-blocking browser plugin, such as the Noscript add-on.

Mozilla addressed this history-sniffing weakness in a bug report that persisted for eight years and was only recently corrected, but the changes won’t be rolled into Firefox until version 4 is released. As a result, current Firefox users still need to rely on script blocking to stop this.

Internet Explorer currently does not have a simple way to block scripts from within the browser (yes, users can block Javascript across the board and add sites to a whitelist, but that whitelist lives several clicks inside of the IE options panel).

So the safest browsers to guard you against History sniffing would be Chrome and Safari.



adapted via krebsonsecurity.com