{"id":9042,"date":"2014-06-25T10:31:07","date_gmt":"2014-06-25T14:31:07","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=9042"},"modified":"2014-07-05T09:26:46","modified_gmt":"2014-07-05T13:26:46","slug":"history-theft-with-css-boolean-algebra","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2014\/06\/25\/history-theft-with-css-boolean-algebra\/","title":{"rendered":"History Theft With CSS Boolean Algebra"},"content":{"rendered":"<p><a href=\"http:\/\/lcamtuf.coredump.cx\/css_calc\/\">Michal Zalewski<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=7940766\">Hacker News<\/a>):<\/p>\r\n<blockquote cite=\"http:\/\/lcamtuf.coredump.cx\/css_calc\/\"><p>\r\nUp until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive\r\n<code>:visited<\/code> pseudo-class, rendering thousands of interesting URLs off-screen, and then calling\r\nthe <code><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window.getComputedStyle\">getComputedStyle<\/a><\/code> API to\r\nfigure out which pages appear in your browser's history.\r\n<\/p>\r\n<p>\r\nAfter some deliberation, browser vendors have <a href=\"http:\/\/blog.mozilla.com\/security\/2010\/03\/31\/plugging-the-css-history-leak\/\">closed this loophole<\/a>\r\nby disallowing almost all attributes in <code>:visited<\/code> selectors, spare for the ability to alter text, foreground,\r\nand background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color\r\ninformation via <code>getComputedStyle<\/code>.\r\n<\/p>\r\n<p>\r\nThis workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where\r\nthe user can be tricked into unwittingly feeding the style information back to the website, disclosing information about\r\none URL at a time. Several fairly convincing attack vectors have been demonstrated - \r\nmy own entry <a href=\"http:\/\/lcamtuf.coredump.cx\/yahh\/\">can be found here<\/a> - but they generally require roughly one click per every visited URL. In other words,\r\nthe whole thing doesn't scale particularly well.\r\n<\/p>\r\n<p>\r\nThe practicality of such CSS-based history snooping attacks could be improved greatly if we had a way to design an \r\n<a href=\"http:\/\/en.wikipedia.org\/wiki\/Decoder\">n-to-2<sup>n<\/sup> decoder circuit<\/a> with the styling elements available on visited links.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Michal Zalewski (via Hacker News): Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive :visited pseudo-class, rendering thousands of interesting URLs off-screen, and then calling the getComputedStyle API to figure out which pages appear in your browser's history. After some deliberation, browser vendors have closed [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[338,346,355,96],"class_list":["post-9042","post","type-post","status-publish","format-standard","hentry","category-technology","tag-css","tag-javascript","tag-privacy","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=9042"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9042\/revisions"}],"predecessor-version":[{"id":9074,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/9042\/revisions\/9074"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=9042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=9042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=9042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}