Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History

An anonymous reader quotes a report from Motherboard: Most modern browsers -- such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox) -- have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user's web history, per new research from the University of California San Diego. What's worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user's internet history.

The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there's a different set of rules and style that apply to links depending on whether they've been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history. As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you've visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second. Bad actors could exploit a "bytecode cache," which speeds up the loading time for revisiting a link that you've already visited. "By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you've visited it or not," reports Motherboard. "Actors can probe 3,000 URLs per second with this method. When the vulnerability was reported to Google, the company marked the issue as "security-sensitive" but "low-priority."

Re:

[quonset]

How about disabling browsing, download, search and form history, forcing the browser to get a fresh copy of every page even if you've previously visited, and clearing everything when you close the browser at night.

Good luck trying to find my browsing history.

Well then

[Anonymous Coward]

a bad actor building a web page can manipulate this faster loading time for visited links by "sniffing," or inferting your browsing history.

How do I get it to stop sniffing my ferts?

Does "Clear history when Firefox closes"...

[CAOgdin]

...option not work for you in Firefox? I have that option set, and it appears to work for me. I have several other Firefox security settings turned ON (e.g., "Block cookies from unvisited websites", and "block popup windows"). (And, no, I won't show you the entire phalanx of Firefox settings I'm using :-) )

I'll admit that some people see all these options as daunting...but I'll wager they have a neighbor or colleague who can set it up for them...and show them how to propagate those settings to all other instances of Firefox in their home network.

Browsing in private mode fixes it too

[Solandri]

The URLs you visit are not stored in history if you browse in private mode. I do nearly all my browsing in private mode. Occasionally it's a pain because I'll accidentally close a tab, and ctrl-shift-T (undo tab close) does not work because the browser doesn't know the URL you just closed. But otherwise it hasn't been any different from a regular browser. You have to manually enable extensions to work in private mode, and whitelist certain sites to be able to store cookies. The inability to undo a tab

Re:

[radarskiy]

Who closes Firefox voluntarily?

Re:

[doconnor]

I'm not sure that will work, because this doesn't actually check you history. It checks your cache.

Re:

[AHuxley]

But if that is turned off then the ads don't work.

Non-issue.

[Gravis Zero]

This is side-channel timing attack which is of low importance because it only allows an attack site to ask if you have been to a site or not. It cannot see your history, just if you have visited a site in the recent past. At best this could inform an attacker if you are a target of interest.

However, this could be of interest to advertisers who want to probe if you have visited their site or maybe a competitor's site. Though chances are they already know that so it's likely not worth the trouble,

Great however

[Artem S. Tashkinov]

NoScript perfectly protects against this, and hopefully the websites that I've whitelisted won't use these tricks to sniff out my browsing history.

Re:

[Aighearach]

It is a good idea to also use uMatrix so that even if you turn on JS for a site, the third party stuff still can't load.

Inferting browsing history? That's an insinuendo!

[remoteshell]

Inferting may be the only mode of inquirty that can help us unprehend why the giant Alaskan king crabs scuttling around on the power lines outside my home snatch only Canadian aircraft out of the sky. My sublime but rascally sefl wants to infert your devience from your browsing history, along with your last 4 digits

Re:

[cm5oom]

Can your software block apk spam?

I know that already

[hvidstue]

Why is it even important to show which sites I have already visited?

1. 1. I know that already.
2. 2. If I forget, I will visit the site again.
3. 3. If i recognise the site I will enforce my memory to remember that I have already been here.
4. 4. If not any of above I will have a new experience.

Re:

[RhettLivingston]

I get a lot of value out of this when using Google to search. If the search is for hard to find or describe data and I'm spending over half an hour searching and entering searches that approach the question from many angles, I definitely want to see the many links I've already visited in old searches highlighted in the new ones. I also research many subjects again and again over time (days, months, years, etc.) and would like to be able to distinguish previously unseen information.

In fact, it would be aweso

Fuck me!

[nospam007]

Some 'IT expert' discovered cookies.
Now I have seen everything.