Mozilla to Fix CSS History Leak Soon

The developers at Mozilla soon will be adding a new privacy enhancement to the Firefox browser that will help prevent attackers and the operators of third-party Web sites from seeing which other sites a user has visited.

The technology is meant to address one of the older privacy problems on the Web, namely the fact that Web sites can see which links a user has visited. On most sites, any link that a user clicks on will turn a different color after the user clicks. This was designed as a convenience for Web users, enabling them to see where they'd gone on a given site.

However, the JavaScript function that carries out that operation behind the scenes allows other sites to see which links a user has followed, which is not optimal for privacy. So Mozilla officials are planning to implement a change that will make all links appear as though they're unvisited, regardless of the reality.

The new method should be in the Mozilla development tree soon.

"The biggest threats here are the high-bandwidth techniques, or those that extract lots of information from users’ browsers quickly. These are particularly worrisome since they enable not only very focused attacks, but also the widespread brute-force attacks that are, in general, more useful to a variety of attackers (potentially including fingerprinting)," Sid Stamm of Mozilla's security team wrote in a blog post. "The JavaScript function getComputedStyle() and its related functions are fast and can be used to guess visitedness at hundreds of thousands of links per minute. To make it harder for web sites to figure out where you’ve been without radically changing the web, we’re approaching the way we style links in three fairly subtle ways."

The privacy-enhancement method, which was developed by L. David Baron of Mozilla, will limit what CSS can do to visited links to only allow color changes; no other style changes to visited links will be allowed. Mozilla also is changing the way the browser lays out pages. "The changes cause all styles to be resolved on all links for both visited and unvisited states, and it is stored; then, when the link is styled, the appropriate set of styles is chosen making the code paths for visited and unvisited links essentially the same length. This should eliminate some of the easy-to-mount timing attacks," Stamm wrote.

And, the new method will prevent JavaScript from hacing access to the information about whether a link has been visited. The changes are under-the-covers type modifications that should not make much of a difference in the way that users view the Web. However, Stamm said that some sites that rely on styles other than color changes to denote visitied links make not work well initially.

"We have to be realistic, though: there are many ways all browsers leak information about you, and fixing CSS history sniffing will not block all of these leaks. But we believe it’s important to stop the scariest, most effective history attacks any way we can since it will be a big win for users’ privacy," Stamm wrote.

Security researcher Robert Hansen pointed out the limitations of Mozilla's fix.

"The first problem is that this is only Mozilla - so we’re talking about a minority of all users. Secondly, of all the hacks we have at our disposal, this is just an information leakage. In fact, I recently wrote a letter, as did a handful of other security researchers, and I only marked this as third on the importance to fix out of five. Worse yet, it doesn’t actually fix the problem. There are still other timing based attacks to get the same information. So while it’s great that we’re finally fixing an 8 year old P1 bug, it’s not like the problem is gone, we’ve just removed one vector. The bad guys still have others at their disposal," Hansen wrote in a blog post on the Mozilla change.

Commenting on this Article is closed.