Group items tagged

The most obvious fix is to disable different styles for visited versus unvisted links, but this would be employed at the expense of utility: while sites can no longer figure out which links you’ve clicked, neither can you.

David Baron has implemented a way to help keep users’ data private while minimizing the effect on the web, and we are deploying it to protect our users.

The biggest threats here are the high-bandwidth techniques, or those that extract lots of information from users’ browsers quickly.

The JavaScript function getComputedStyle() and its related functions are fast and can be used to guess visitedness at hundreds of thousands of links per minute.

we’re approaching the way we style links in three fairly subtle ways:

Change 1: Layout-Based Attacks

First of all, we’re limiting what types of styling can be done to visited links to differentiate them from unvisited links.

can only be different in color

the CSS 2.1 specification takes into consideration how visited links can be abused:

implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently

Change 2: Some Timing Attacks

we are changing some of the guts of our layout engine to provide a fairly uniform flow of execution to minimize differences in layout time for visited and unvisited links.

when the link is styled, the appropriate set of styles is chosen making the code paths for visited and unvisited links essentially the same length.

Change 3: Computed Style Attacks

JavaScript is not going to have access to the same style data it used to.

Firefox will give it unvisited style values.

it’s the right trade-off to be sure we protect our users’ privacy.

fixing CSS history sniffing will not block all of these leaks. But we believe it’s important to stop the scariest, most effective history attacks any way we can since it will be a big win for users’ privacy.