The developers at Mozilla soon will be adding a new privacy enhancement to the Firefox browser that will help prevent attackers and the operators of third-party Web sites from seeing which other sites a user has visited.
The technology is meant to address one of the older privacy problems on the Web, namely the fact that Web sites can see which links a user has visited. On most sites, any link that a user clicks on will turn a different color after the user clicks. This was designed as a convenience for Web users, enabling them to see where they’d gone on a given site.
However, the JavaScript function that carries out that operation behind the scenes allows other sites to see which links a user has followed, which is not optimal for privacy. So Mozilla officials are planning to implement a change that will make all links appear as though they’re unvisited, regardless of the reality.
The new method should be in the Mozilla development tree soon.
“The biggest threats here are the high-bandwidth techniques, or those
that extract lots of information from users’ browsers quickly. These
are particularly worrisome since they enable not only very focused
attacks, but also the widespread brute-force attacks that are, in
general, more useful to a variety of attackers (potentially including fingerprinting),” Sid Stamm of Mozilla’s security team wrote in a blog post. “The JavaScript function getComputedStyle() and its related
functions are fast and can be used to guess visitedness at hundreds of thousands
of links per minute. To make it harder for web sites to figure out
where you’ve been without radically changing the web, we’re approaching
the way we style links in three fairly subtle ways.”
The privacy-enhancement method, which was developed by L. David Baron of Mozilla, will limit what CSS can do to visited links to only allow color changes; no other style changes to visited links will be allowed. Mozilla also is changing the way the browser lays out pages. “The changes cause all styles to be resolved on all links for both
visited and unvisited states, and it is stored; then, when the link is
styled, the appropriate set of styles is chosen making the code paths
for visited and unvisited links essentially the same length. This
should eliminate some of the easy-to-mount timing attacks,” Stamm wrote.
And, the new method will prevent JavaScript from hacing access to the information about whether a link has been visited. The changes are under-the-covers type modifications that should not make much of a difference in the way that users view the Web. However, Stamm said that some sites that rely on styles other than color changes to denote visitied links make not work well initially.
“We have to be realistic, though: there are many ways all browsers
leak information about you, and fixing CSS history sniffing will not block
all of these leaks. But we believe it’s important to stop the
scariest, most effective history attacks any way we can since it will be
a big win for users’ privacy,” Stamm wrote.
Security researcher Robert Hansen pointed out the limitations of Mozilla’s fix.
“The first problem is that this is only Mozilla – so we’re talking about a
minority of all users. Secondly, of all the hacks we have at our
disposal, this is just an information leakage. In fact, I recently
wrote a letter, as did a handful of other security researchers, and I
only marked this as third on the importance to fix out of five. Worse
yet, it doesn’t actually fix the problem. There are still other timing
based attacks to get the same information. So while it’s great that
we’re finally fixing an 8 year old P1 bug, it’s not like the problem is
gone, we’ve just removed one vector. The bad guys still have others at
their disposal,” Hansen wrote in a blog post on the Mozilla change.
