Comments on: Start Panicking!

By: Giorgio

Giorgio — Sun, 07 Jun 2009 09:38:16 +0000

@rvdh:
Did you notice the OP starts with “Nothing new” linked to a… what? … 3 years old article? :P

By: rvdh

rvdh — Sat, 06 Jun 2009 10:26:13 +0000

fuck this is ..what.. 3 years old news? am I the only one without amnesia or what?

By: Giorgio

Giorgio — Wed, 13 May 2009 17:21:39 +0000

@Nilesh:

The bug lifts information about visited website from the history. Isn’t it?

Yes. More precisely, attackers can tell if a certain URL is present in your history or not (they’re using a list of 100,000 to be impressive).

Is IE also susceptible?

Of course it is. Every modern browser susceptible.

My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

Because its JavaScript interpreter sucks?

By: Nilesh

Nilesh — Wed, 13 May 2009 05:38:21 +0000

Hi Giorgio,

When I cleared the history of Mozilla FF, visiting on startpanic.com didn’t yield any result. The bug lifts information about visited website from the history. Isn’t it? Is IE also susceptible? My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

By: A bug in Firefox can detect which sites you have visited - profirefox.org

A bug in Firefox can detect which sites you have visited - profirefox.org — Mon, 11 May 2009 12:31:21 +0000

[…] Mozilla is already working on this bug. [via Giorgio Maone’s blog] […]

By: Giorgio

Giorgio — Sun, 10 May 2009 12:21:27 +0000

@AndreH:

curl http://startpanic.com/db/db_en.txt | wc -l
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1386k  100 1386k    0     0   117k      0  0:00:11  0:00:11 –:–:–  133k
100000

As you can see there are 100,000 domains in that list, for more than 1MB file size, which you’re proposing to turn in server-side generated styled links to be downloaded.
Consider also that a scriptless approach requires one separate HTTP request (and database write) for each single domains found in history, while with JavaScript you can coalesce the logging in one single request/write.
So I can hardly imagine an attacker preferring the scriptless way over the JavaScript one in a real world scenario, aside very motivated targeted attacks against a specific NoScript user.

@Dom:

Will the Firefox fix have the same functionality as SafeHistory?

Nope. If you look at the bug report, you’ll find I repeatedly suggested that was the right approach, however the current "solution" breaks the :visited functionality entirely and therefore is obviously disabled by default.

@Basti:
I heard of a compatible beta, but I can’t find it right now.
There’s no alternative, I’m afraid.

By: Basti

Basti — Sun, 10 May 2009 07:07:46 +0000

I used SafeHistory before, but it’s not compatible with Firefox 3. I know how to patch it, but I don’t think it’s a good idea. Does any one know an alternative?

By: sirdarckcat

sirdarckcat — Sun, 10 May 2009 06:38:11 +0000

I like CSSH more.. haha we can crawl which links you entered in each website.

http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php

Greetz!!

By: Dom

Dom — Sun, 10 May 2009 02:39:47 +0000

Will the Firefox fix have the same functionality as SafeHistory?

By: GµårÐïåñ

GµårÐïåñ — Sat, 09 May 2009 21:30:28 +0000

Giorgio, I love SafeHistory but the problem is that it has not been updated for a long while and it causes some issues in Fx 3 but for me NoScript seems to be pretty effective and the fact that I don’t maintain a history at all.