Abstract
Web browser history detection using CSS visited styles has long been dismissed as an issue of marginal impact. However, due to recent changes in Web usage patterns, coupled with browser performance improvements, the long-standing issue has now become a significant threat to the privacy of Internet users.
In this paper we analyze the impact of CSS-based history detection and demonstrate the feasibility of conducting practical attacks with minimal resources. We analyze Web browser behavior and detectability of content loaded via standard protocols and with various HTTP response codes. We develop an algorithm for efficient examination of large link sets and evaluate its performance in modern browsers. Compared to existing methods our approach is up to 6 times faster, and is able to detect up to 30,000 visited links per second.
We present a novel Web application capable of effectively detecting clients’ browsing histories and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection, including over 94% of Google Chrome users; for a test of most popular Internet websites we were able to detect, on average, 62.6 (median 22) visited locations per client. We also demonstrate the potential to profile users based on social news stories they visited, and to detect private data such as zipcodes or search queries typed into online forms.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
W3C: Cascading style sheets, level 1, http://www.w3.org/TR/REC-CSS1/
Bugzilla: Bug 57351 - css on a: visited can load an image and/or reveal if visitor been to a site (2000), https://bugzilla.mozilla.org/show_bug.cgi?id=57531
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: CCS 2000: Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 25–32. ACM, New York (2000)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. ACM Commun. 50(10), 94–100 (2007)
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web, pp. 737–744. ACM, New York (2006)
Jakobsson, M., Stamm, S.: Web camouage: Protecting your clients from browsersning attacks. IEEE Security and Privacy 5, 16–24 (2007)
Webcollage: Web 2.0 collage, http://www.webcollage.com/
Wills, C.E., Zeljkovic, M.: A personalized approach to web privacy–awareness, attitudes and actions. Technical Report WPI-CS-TR-10-07, Computer Science Department, Worcester Polytechnic Institute (2010), http://www.cs.wpi.edu/~cew/papers/whattheyknow.pdf
Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users, IEEE security and privacy. In: IEEE Security and Privacy, Oakland, CA, USA (2010)
Janc, A., Olejnik, L.: What the internet knows about you, http://www.wtikay.com/
Nielsen, J.: Change the color of visited links, http://www.useit.com/alertbox/20040503.html
Bugzilla: Bug 147777 - :visited support allows queries into global history (2002), https://bugzilla.mozilla.org/show_bug.cgi?id=147777
W3C: Cascading style sheets level 2 revision 1 (css 2.1) speci_cation, selectors, http://www.w3.org/TR/CSS2/selector.html#link-pseudo-classes
Jakobsson, M., Stamm, S.: Invasive browser sniffing and countermeasures. In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web, pp. 523–532. ACM, New York (2006)
Jackson, C., Andrew Bortz, D.B.J.M.: Stanford safehistory, http://safehistory.com/
Baron, L.D.: Preventing attacks on a user’s history through css : visited selectors (2010), http://dbaron.org/mozilla/visited-privacy
Jakobsson, M., Juels, A., Ratkiewicz, J.: Privacy-preserving history mining for web browsers. In: Web 2.0 Security and Privacy (2008)
Zalewski, M.: Browser security handbook, part 2 (2009), http://code.google.com/p/browsersec/wiki/Part2
König, F.: The art of wwwar: Web browsers as universal platforms for attacks on privacy, network security and rbitrary targets. Technical report (2008)
Quantcast: Quantcast, http://www.quantcast.com/
Anonymous: Did you watch porn, http://didyouwatchporn.com
Alexa: Alexa 500, http://alexa.com
Bloglines: Bloglines top feeds, http://www.bloglines.com/topblogs
Yahoo!: Yahoo! boss, http://developer.yahoo.com/search/boss/
Linode: Linode vps hosting, http://linode.com
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Janc, A., Olejnik, L. (2010). Web Browser History Detection as a Real-World Privacy Threat. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)