Aviso / Notice

Este blog se encontra desatualizado, inativo e arquivado como conteúdo estático. Eu continuo a eventualmente postar em to-post.it/henriquev. Um serviço simples de blog para usuários de Twitter criado por mim. Todo o conteúdo deste blog continuará existente no mesmo endereço de antes.

This is blog is out-dated, inactive and archived. I continue to post eventually on to-post.it/henriquev. Using a simple blogging service for Twitter users that I created.

Estou também em / find me also on:

a:visited privacy concern: your web history exposed

I was thinking if I should use a:visited with another color than the one in a:link thinking about the privacy of my users. After a few moments I decided to go without it. Yes, it can be a very nice feature, but I think it’s not very-very useful and can pose as a threat for some individuals. Well, of course the people who has access to their computers can check the history. But first, they have to think about it. It doesn’t happen for you to be browsing some web site and check to see if the links on it were accessed by you sometime in the past. So it’s like a social risk, rather than a computer one. Still, it’s one thing that web designers should consider.

For instance, I’m not saying to stay away from it. You should think about the benefits. For instance, if you are designing an intranet notes delivery system it may be important to be assured that the users of this system read the messages. So you better use it whatsoever. It’ll not make much difference if someone sees in someone’s else computer that he/she has opened it (unless it’s an angry manager who sent the memo).

But then let’s go to a public computer on a library. Surely you don’t want to tell others what the past users were looking when they browsed (actually this privacy thing should be at the client side but we know it is not how it works in the real world).

So it’s a minor security issue only affecting the client side, right? No.

Here comes the scripting languages such as JavaScript to complicate things and expose our privacy to everyone. Now you should think one thing: when this CSS element was written it’s almost certainly that no one thought that one day this could pose as a security threat. Indeed, it is one.

Let’s see cookies, for instance. They are limited to a domain name or sub-domains. But this is not what happens with the a:visited information. If you are in this web browser and I put a link to the english Wikipedia and you have accessed it once, if I’m using the a:visited with a different information such as color than a:link (that means unvisited) you will know that you’ve visited it before just by looking at it. But not only you. If I use a simple JavaScript on my page I can know this also.

And yes, this is something that affects most web browsers.

Now you can think this can’t be so dangerous. Well, indeed it:

  • I can see what you’ve been doing
  • I can see how you interact with the external links in my website
  • I can see if you accessed you bank account recently
  • I can put (thinking about something like session fixation, but with links) poison on your food and discover if you eat it
  • Given enough power & time I can discover links you accessed

The later is very resource consuming. But a dictionary attack and a vicious (bad entropy) authentication URL generator (OAuth, anyone?) or something like that and you’re done… Okay, this seems too much Doom’s day, but it’s possible.

The solution? Right now there is none. You could turn off JavaScript, but you’re not going to do that. Believe me. Or you could use the privacy mode of your browser (and I don’t know if it is good for avoiding it all, but my guess: not, I think it can show the other pages you’ve left open).

There are some legit uses for this, but I’d not promote them because in my opinion are not worth the cost and can’t survive for long.

See also startpanic.com and :visited links privacy issue.