Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do you have an example of this working? I thought that browser venders we're having the :visited selector lie to you when you call getComputedStyle on them? Also, how would you workaround the need for JS? I understand that you can do something similiar with tracking pixels, but I'm under the impression that Ghostery blocks them.


>I thought that browser venders we're having the :visited selector lie to you when you call getComputedStyle on them?

It's possible to probe the users history even though getComputedStyle doesn't give it away anymore.

See page 6 of this article: http://www.contextis.com/documents/2/Browser_Timing_Attacks....

Obviously turning off Javascript prevents these types of things to some extent, but even then there are ways: https://www.nds.rub.de/media/nds/veroeffentlichungen/2014/07...

The web is just not designed with preventing information leaks in mind.


Interesting papers, thanks for calling my attention to them. They made me paranoid enough to disable the styling of visited links in Firefox to prevent the large amount of timing attacks that are possible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: