Aviso / Notice

Este blog se encontra desatualizado, inativo e arquivado como conteúdo estático. Eu continuo a eventualmente postar em to-post.it/henriquev. Um serviço simples de blog para usuários de Twitter criado por mim. Todo o conteúdo deste blog continuará existente no mesmo endereço de antes.

This is blog is out-dated, inactive and archived. I continue to post eventually on to-post.it/henriquev. Using a simple blogging service for Twitter users that I created.

Estou também em / find me also on:

Archive for February, 2010

a:visited privacy concern: your web history exposed

I was thinking if I should use a:visited with another color than the one in a:link thinking about the privacy of my users. After a few moments I decided to go without it. Yes, it can be a very nice feature, but I think it’s not very-very useful and can pose as a threat for some individuals. Well, of course the people who has access to their computers can check the history. But first, they have to think about it. It doesn’t happen for you to be browsing some web site and check to see if the links on it were accessed by you sometime in the past. So it’s like a social risk, rather than a computer one. Still, it’s one thing that web designers should consider.

For instance, I’m not saying to stay away from it. You should think about the benefits. For instance, if you are designing an intranet notes delivery system it may be important to be assured that the users of this system read the messages. So you better use it whatsoever. It’ll not make much difference if someone sees in someone’s else computer that he/she has opened it (unless it’s an angry manager who sent the memo).

But then let’s go to a public computer on a library. Surely you don’t want to tell others what the past users were looking when they browsed (actually this privacy thing should be at the client side but we know it is not how it works in the real world).

So it’s a minor security issue only affecting the client side, right? No.

Here comes the scripting languages such as JavaScript to complicate things and expose our privacy to everyone. Now you should think one thing: when this CSS element was written it’s almost certainly that no one thought that one day this could pose as a security threat. Indeed, it is one.

Let’s see cookies, for instance. They are limited to a domain name or sub-domains. But this is not what happens with the a:visited information. If you are in this web browser and I put a link to the english Wikipedia and you have accessed it once, if I’m using the a:visited with a different information such as color than a:link (that means unvisited) you will know that you’ve visited it before just by looking at it. But not only you. If I use a simple JavaScript on my page I can know this also.

And yes, this is something that affects most web browsers.

Now you can think this can’t be so dangerous. Well, indeed it:

  • I can see what you’ve been doing
  • I can see how you interact with the external links in my website
  • I can see if you accessed you bank account recently
  • I can put (thinking about something like session fixation, but with links) poison on your food and discover if you eat it
  • Given enough power & time I can discover links you accessed

The later is very resource consuming. But a dictionary attack and a vicious (bad entropy) authentication URL generator (OAuth, anyone?) or something like that and you’re done… Okay, this seems too much Doom’s day, but it’s possible.

The solution? Right now there is none. You could turn off JavaScript, but you’re not going to do that. Believe me. Or you could use the privacy mode of your browser (and I don’t know if it is good for avoiding it all, but my guess: not, I think it can show the other pages you’ve left open).

There are some legit uses for this, but I’d not promote them because in my opinion are not worth the cost and can’t survive for long.

See also startpanic.com and :visited links privacy issue.

Updates about my life

Since I was a kid and started using computers I felt very comfortable with them. I was 8 or 9 years old the first time I used the Internet, at home. The first pages I opened were mostly in english, like Yahoo’s and Netscape’s. Netscape itself was for a long time my browser of choice (even when the hardware I had wasn’t powerful enough to let me use the newer versions of it, so I sticked with Internet Explore for a while). I just wish I’d put my hands on a Mac early. Past year, for something more than a month, this is what I used every single day. Today, I’m waiting to receive my first one. A MacBook that’s going to take days to arrive here.

Anyway, since then I have this interest in the high tech sector. Or more precisely, I wish to work with Internet.

In the end of December this desire came true when I launched a web service called Plifk with the purpose of offering people (end users) the highest quality file sharing solution available on the Internet.

The moment I launched it I knew it wouldn’t be easy to get mainstream. But I was confident that I made a great work and it’d be easer than it is turning out to be.

I’m thinking a lot in how to get the so needed early adopters. Telling friends (even the ones who work with technology) is not being of much help. Neither I succeeded in finding some nice people that would be engaged to work with me. Also, trying to contact some local/national based incubators doesn’t seems of much benefit.

What I really need right now is not money. I don’t have any wealth, still it’s not a big problem for me to pay my bills. I’m more in the need of people to communicate and share ideas so I can develop my product and help myself in my hunt for a great strategy. And if one’s not of help but to give away money (if) I can’t care less and will just fade away (at least now that I’m not shining).

So I guess my current life is like this. Hunting for people and for a strategy. And I’m not hunting for a worker, but for people who can think big.

But this is not going to stop me whatsoever. It took me all my life to learn what I know today about computers, technology and everything. Almost every single day of my life when I was a kid I’d think about something I could do. And as I grew up this didn’t change… Months ago I was free think. I had dropped out university, just finished a short-term course at New York Film Academy on filmography and there were no single obligations I had with anyone. For months many people thought that I was doing nothing, that I was a lost soul (as once put by someone talking to a teacher of mine years ago to don’t let his child walk along me).

People here (and everywhere else?) are used to follow the cultural unwritten rules of doing everything in a formal way, so describing what I did to someone is really a bad, not funny moment. Having nothing to show, I had passed several bad times when just after telling this or that I had to listen something like “but you should do something, doing nothing is not good for you”. Heck, I’m doing something…

Now people seems to be more open minded that I’ve something to show them.

The funny part? Well, I can show them. It’s just that they don’t have the interest to see.

And so here I am with two goals for the next weeks, at least:

  • discover and apply the marketing question: how to attract consumers?
  • discover what the attracted consumers needs (and hopefully before they show up) to design a product for them: what is better for them?

Good thing I like to think (and find pretty realistic) is: I’m almost sure I’m not showing my service for the public that can take the most advantage out of it, so when I do I’m going to have something that’s really made for them.

And now I shall finish this post and go back to work.