Sniffing browser's history is not new. But recently researchers have found new ways (https://www.spinda.net/papers/smith-2018-revisited.pdf) to perform it, allowing a high sniffing rate


The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.


All the tested browsers (even Brave) but TBB are vulnerable to these attacks, Chrome being the most vulnerable of all:


All of the attacks the researchers developed in their WOOT 2018 paper worked on Google Chrome. Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers. The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place.https://www.helpnetsecurity.com/2018/11/02/expose-your-browsing-history-to-attackers/



On Firefox, it is said in the paper (https://www.spinda.net/papers/smith-2018-revisited.pdf) that turning the pref layout.css.visited_links_enabled to false should solve the issue but in fact, doesn't.

Whenever we think that we are safe then it happens.
Kind of scary that how unsafe we are on the internet. And then of course professional people like you tell us how to be secured.
I'm loving this community as a family.

The attacks the researchers developed, in the form of JavaScript code
just keep js off as always

just keep js off as always

Theoretically yes but (too) many site today are losing functionalities without javascript. Moreover blocking javascript uglifies them a lot. Your advice works (and is likely the most efficient advice) but it requires too much discipline and perseverance for, says, 90% of the users.

sure, there's no proper solution for the masses until the browsers fix this.

Better solution: turn history off. They can't sniff data that isn't there in the first place =] Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).

Better solution: turn history off. They can't sniff data that isn't there in the first place =] Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).

In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.

Better solution: turn history off. They can't sniff data that isn't there in the first place =] Chrome doesn't let you do this, but you can erase it and make the "History" and "History-journal" files in your profile directory read-only.

Note that I haven't read the paper yet, so this measure may not actually be effective (just like it wasn't for Opera back in '09 without additional settings).

i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.

i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.

I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?

Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
God help us all if RED or anything like that starts using this now.

In about:config I set the pref. browser.sessionhistory.max_entries to 10 (default is 50!), and I use a CanvasBlocker feature to protect history. In doing so, I can revisit any of the last ten pages visited, but clicking on the tab "History" always shows a blank. I think/hope this immunizes me against the attack, but I have no proof of that. And I don't know any test site using these last sniffing methods to test what's is efficient, and what's is not.

That's a good method and the one I use on both Firefox and Opera (where the amount of tabs is hardcoded to 100, but canvas functionality can be disabled at opera:config). Note that those closed tabs are part of your browser session, so they are remembered across restarts and so is the data inside them, as controlled by browser.sessionstore.privacy_level.

A proof of concept or test site for these new attacks would be good, yes.


i love the concept of firefox focus on android. You open the browser, a clean instance appears, you do your thing, swipe it away and it automatically erases everything you've just done. You open it again later, clean instance! Which also makes it lightweight and fast.

With some exceptions (e.g. keeping autologin for trusted sites, dealing with large data blobs in Chrome), I see no reason not to apply this paradigm to all surfing.


I don't have FF on Android. Insn't the behavior you describe the same than using private mode with desktop FF?

Apparently it is, but the interface is engineered to "focus" on one site at a time and avoid distractions. No tabs, no bookmarks and very limited configuration.

https://www.guidingtech.com/firefox-vs-firefox-focus-should-you-switch/


Oh dear! Time to separate tracker and sb-i activity again. Hahahaha. Not that I ever stopped doing that.
God help us all if RED or anything like that starts using this now.

Announcements - BitTorrent Talk (http://www.sb-innovation.de/announcement.php?f=56)

2009 was so much fun, now that almost a decade has passed and most of the trackers that banned us don't even exist anymore. In hindsight, we learned a lesson about computer security the hard way =]

Also, that announcement is really showing its age...

Also², Redacted is the next What.cd, so I expect them to be hard at work with this as we speak :wwhistle: