I know where you've been :)
Nothing new, but the visual theme looks really cool:

startpanic.com

Mozilla is already working on this, but please do not comment on the bug report, already too much noise there...

23 Responses to “Start Panicking!”

  1. #1 Ben says:

    Is there some workaround other than using a wireless connection?

  2. #2 Giorgio says:

    @Ben:
    what does make you believe a wireless connection is a workaround?

    For this very PoC, based on JavaScript, NoScript is enough a workaround.

    But since it's possible, even though slow and unpractical, performing the same trick without using JavaScript, the only full-blown protection is SafeHistory.

  3. #3 Simon says:

    Easy fix: Only surf in Private Browsing mode (or toggle the pref layout.css.visited_links_enabled in about:config). No need for NoScript, just the latest and greatest Firefox Beta...

  4. #4 Giorgio says:

    @Simon:
    I'd still prefer a SafeHistory-like solution, since both Private Browsing and the visit_link_enabled setting globally cripple my navigation experience, by disabling history feedback.

  5. #5 Ben says:

    Duh, because wireless is encrypted.

    Sorry if it is lame to set myself up for a joke. I was bored on a Friday afternoon.

  6. #6 nick says:

    quite a comprehensive list of domains:

    http://startpanic.com/db/db_en.txt

  7. #7 Giorgio says:

    @nick,
    booh, mine are all missing :(

  8. #8 AndersH says:

    Why would the same be "slow and unpractical"? It seems to me,that it would perhaps be faster:
    [style]
    #urllist a { display:none; }
    #urllist a:visited { display:block; }
    [/style]
    [div id='urllist']
    [a href='http://google.com/' style='background:url(url?google.com)'][/a]
    [a href='http://www.google.com/' style='background:url(url?www.google.com)'][/a]
    [a href='http://yahoo.com/' style='background:url(url?yahoo.com)'][/a]
    [a href='http://www.yahoo.com/' style='background:url(url?www.yahoo.com)'][/a]
    [/div]

  9. #9 Nan M says:

    @nick #6, :
    It's just about the whole of the Web, isn't it. ;-)
    Sorry Prof, your empire-building is hopeless ;-)

  10. #10 Steve says:

    I seriously can't get any results other then

    "
    Here we go!
    startpanic.com
    "

    I tried Safari first as it's my main browser. Result was above. I thought that I was not getting any result then above because I changed file flags for directories where Safari would store cookies, cache, bookmarks, history and where flash cookies are stored so no data could be written in those directories. (sudo chflags uchg,schg /foo) So I tried FireFox and I still get the same result. NoScript and CookieSafe both disabled. I didn't set file flags for in directories FireFox uses.

  11. #11 Otto de Voogd says:

    You don't need JavaScript to exploit this:
    http://ha.ckers.org/weird/CSS-history.cgi

    Any exploit though has to try to guess sites/urls where you might have been.

  12. #12 Giorgio says:

    @Otto de Voodg:

    Of course you can do it script-less, as I said in my comment #2, but it's too slow and resource-intensive to be practical outside PoCs.

    And you're obviously correct, the attacker can test if you've visited certain sites, rather than enumerating all your history, but in many scenarios (e.g. guessing if you're an user of a certain bank service before trying a focused phishing attack or checking if you visit certain "subversive" resources before raiding your home with a terrorist charge) this is dangerous enough.

  13. #13 Чтение истории посещений с помощью CSS | Raz0r.name — блог о web-безопасности says:

    [...] написание этой небольшой заметки меня подтолкнул пост в блоге автора плагина NoScript о ресурсе с [...]

  14. #14 GµårÐïåñ says:

    Giorgio, I love SafeHistory but the problem is that it has not been updated for a long while and it causes some issues in Fx 3 but for me NoScript seems to be pretty effective and the fact that I don't maintain a history at all.

  15. #15 Dom says:

    Will the Firefox fix have the same functionality as SafeHistory?

  16. #16 sirdarckcat says:

    I like CSSH more.. haha we can crawl which links you entered in each website.

    http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php

    Greetz!!

  17. #17 Basti says:

    I used SafeHistory before, but it's not compatible with Firefox 3. I know how to patch it, but I don't think it's a good idea. Does any one know an alternative?

  18. #18 Giorgio says:

    @AndreH:

    curl http://startpanic.com/db/db_en.txt | wc -l
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 1386k  100 1386k    0     0   117k      0  0:00:11  0:00:11 --:--:--  133k
    100000
    

    As you can see there are 100,000 domains in that list, for more than 1MB file size, which you're proposing to turn in server-side generated styled links to be downloaded.
    Consider also that a scriptless approach requires one separate HTTP request (and database write) for each single domains found in history, while with JavaScript you can coalesce the logging in one single request/write.
    So I can hardly imagine an attacker preferring the scriptless way over the JavaScript one in a real world scenario, aside very motivated targeted attacks against a specific NoScript user.

    @Dom:

    Will the Firefox fix have the same functionality as SafeHistory?

    Nope. If you look at the bug report, you'll find I repeatedly suggested that was the right approach, however the current "solution" breaks the :visited functionality entirely and therefore is obviously disabled by default.

    @Basti:
    I heard of a compatible beta, but I can't find it right now.
    There's no alternative, I'm afraid.

  19. #19 A bug in Firefox can detect which sites you have visited - profirefox.org says:

    [...] Mozilla is already working on this bug. [via Giorgio Maone's blog] [...]

  20. #20 Nilesh says:

    Hi Giorgio,

    When I cleared the history of Mozilla FF, visiting on startpanic.com didn't yield any result. The bug lifts information about visited website from the history. Isn't it? Is IE also susceptible? My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

  21. #21 Giorgio says:

    @Nilesh:

    The bug lifts information about visited website from the history. Isn’t it?

    Yes. More precisely, attackers can tell if a certain URL is present in your history or not (they're using a list of 100,000 to be impressive).

    Is IE also susceptible?

    Of course it is. Every modern browser susceptible.

    My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?

    Because its JavaScript interpreter sucks?

  22. #22 rvdh says:

    fuck this is ..what.. 3 years old news? am I the only one without amnesia or what?

  23. #23 Giorgio says:

    @rvdh:
    Did you notice the OP starts with "Nothing new" linked to a... what? ... 3 years old article? :P

Bad Behavior has blocked 1129 access attempts in the last 7 days.