Now that you've seen the consequences of the history detection techniques, you're probably wondering how you can mitigate the problem. Thus far, there have been no accepted general solutions to completely get rid of the problem, but there are things you can do to help protect your privacy.
Tips for users
We've seen a lot of misconceptions about browser history detection, so first let's start off with ineffective solutions...What will NOT protect you
-
Disabling JavaScript:
Many people think that JavaScript is necessary for history detection to work, and that disabling it will fix the problem. This is not true, since the detection mechanism can use pure Cascading Style Sheets (CSS) capabilities without any scripting and still detect visited sites. You can check it for yourself by disabling JavaScript and running any of our tests.
-
Using the Firefox NoScript plug-in:
In its default configuration, NoScript behaves similarly to disabling JavaScript on untrusted websites, and thus doesn't prevent them from using CSS to detect the history.
-
Disabling Java or Flash:
Java and Flash have nothing to do with the techniques used for history detection, so disabling them will not help.
-
Deleting cookies:
While cookies have gotten the reputation of being the ubiquitous web "tracking technology", in this case, deleting them will not protect you from having your history detected.
What WILL protect you
In general, there are three possible ways of protecting your browsing history from being detected. While all of them have their own flaws, we present all the solutions we're aware of to give you a choice of what to do.Disabling your browser's history
If you configure your browser to not keep any browsing history, no-one will be able to detect which sites you visited. You can do so in Firefox by opening up "Options | Privacy" and setting Keep my history for at least X days to 0, and in Internet Explorer by selecting "Internet Options | Browsing History", clicking Settings and setting Days to keep pages in history to 0. You can also take a look at Firefox extensions to help disable or selectively filter your browsing history.
You also can accomplish the same goal by using your browser's "private browsing" mode for all your Web browsing. Unfortunately, that means you'll lose the benefit of easily coming back to a page if you've forgotten its address, and won't be able to use search-bar tools, such as Firefox's Awesome Bar to quickly go to your favorite pages. Still, this is an option you might consider for the sake of your browsing privacy.
Disabling CSS styling of visited links
A slightly more palatable solution is to remove special rules for displaying visited links, at the cost of not immediately knowing which pages you've already been to.
Firefox 3.5 users will be happy to learn that their browser has a configuration option which
disables visited links. To enable it, type in about:config in the address bar and set the
layout.css.visited_links_enabled option to False.
For browsers which allow custom user stylesheets to override page defaults, you can use the following stylesheet to disable resource downloads for visited links. This only helps if you have scripting disabled by browser configuration or through an extension such as NoScript. Since we can't test this code it in all possible browsers, make sure that it has the desired effect for your setup:
:link, :visited, :link *, :visited * {
background-image: none !important;
list-style-image: none !important;
border-image: none !important;
border-corner-image: none !important;
-moz-border-image: none !important;
-webkit-border-image: none !important;
}
Also, as a partial solution, in some browsers (including, the most popular ones: Firefox and Internet Explorer),
you can override the default way to show visited links. In principle, this should
protect you from having your history detected with Javascript; also, this approach
introduces significant problems, as it potentially breaks the text/background color on
many websites and makes many sites harder to read.
In Firefox:
- Open up Tools > Options > Content > Colors and set the Visited Link color to be the same as the Unvisited Link color.
- Uncheck Allow pages to choose their own colors instead of my selections above.
- Open up Tools > Internet Options > General > Colors and set the Visited Link color the same as the one used for Unvisited Links.
- Open up Tools > Internet Options > General > Accessibility and set all checkboxes to ignore colors, font styles and font sizes.
Using a special browser extension to fix the problem
If you're a Firefox 1.5/2 user, you can install the SafeHistory extension to protect yourself against the attack we're describing. Unfortunately, the extension does not work in Firefox 3 or 3.5.
Instead, in Firefox 3.5, you can try the LinkStatus extension which can disable visited styles through the "Ignore :visited link style" option.
You can also try your luck using the NoScript plug-in along with a custom CSS stylesheet disabling the background-image property; the stylesheet should have the rules we listed above.
Yet another possibility is to use the Torbutton extension for Firefox which disables rendering of :visited styles when Tor is enabled, and thus folis this history sniffing technique.
Additionally, you can use the History Block Firefox extension, which will let you specify a list of domains which will never be added to the browser's history. The sites you choose to hide will not be detectable, but all other websites in your browser's history still will.
We're also not aware of similar tools for other browsers (IE, Safari, etc.).
Sadly, those are all the possible solutions that we're aware of. If this isn't acceptable to you (and it shouldn't be), please see our fixing the problem section and pressure your browser vendor to implement one of the proposed solutions.
Tips for webmasters
If you're a webmaster of a website with sensitive content, you might not want to rely
upon all your users having browsers configured to prohibit history detection. In
such a case you could make it harder to sniff
your website's URLs by adding a randomized token to each URL, such as
(http://yoursite.com/page/#348343). Doing this is relatively straight-forward and
easy to implement, but it does mean that each user would be given a different URL
for the same page. Also, if a particular URL for a page/resource gets popularized
(for example by being posted on a social news website), that single URL can be targeted
in history sniffing attempts. Still, this might be a workable idea, if not for
all pages on your site, then at least for forms where users can potentially enter
sensitive data (such as search queries).
Fixing the problem altogether
We believe that the correct solution to the history sniffing problem requires changing the way Web browsers handle visited links.
An approach taken by the authors of the SafeHistory extension for Firefox is to only hilight visited links on a page, if you've clicked on that link from exactly that page. For example, let's say that you search for "Microsoft" on google.com and click on the link to Microsoft's home page. If you ever go back to Google and search for Microsoft, you'll see the top link marked as visited, i.e. purple. However, if you go to any other website which contains a link to Microsoft's home page, the link will not be hilighted.
This solution seems unacceptable to some browser developers because it means that some links you've visited will not be marked as such. However, taking into account the potential effects of allowing browser history sniffing to remain, we believe that this is a small concession to make on part of browser usability.
Other (worse) ways of fixing it include removing the :visited CSS pseudo-class
altogether, making it impossible to get the actual rendered style on a
elements in JavaScript, or downloading all :visited background-urls (regardless
of whether the rule was triggered), to close the pure-CSS attack vector.
There might be alternative, better, approaches that browser vendors can take. We urge you to contact your browser vendors and tell them about this problem. They likely know about it, but aren't committed to solving it, because every other browser is also ignoring the problem. We hope that with your support we can make a difference.
It's worth noting that the described problem is a consequence of long-standing (but flawed, in our opinion) Web standards, which were blindely adopted by browser vendors. Since changing the standards is a really complicated task (think of the HTML5 process), it's probably impossible to fix it in a standardized way. Therefore we believe that the only option is to delegate the fix to the browser vendors, as they are responsible for how their products affect Web users.
About the sorry state of things
It is a source of amazement to us that such an obvious and well-documented history sniffing channel has been allowed to exist for so many years. We cannot help but wonder why, despite all the malicious potential, such a hole has not yet been closed.
When thinking about it we've entertained two explanations. The first one is that when this kind of history sniffing was first reported (around 2000, possibly even earlier), the Web was very different than what it is today. At the time, our on-line activities were less personalized; we visited news- and shopping sites and even our banks, but most of those were large sites which, when detected, did not have as much potential to reveal about us. Now, we all have our own Facebook and Twitter profiles, Reddit and Digg accounts, we read our friends' blogs and have a much more personal interaction with the Web. All of this is reflected in the links in our browser histories, which wasn't the case when the issue first came up.
The second factor is that, because of Moore's law and advances in browsers' Javascript engines, it is now possible to check a much larger set of links. Instead of scanning a few hundred or a few thousand, most modern systems can check up to a million links a minute (see the performance section), significantly exacerbating the problem.
Looking at some reactions to this problem in various on-line forums, we also thought of one more possible explanation; it's possible that the few people who were aware of the issue found ways of mitigating it -- for example by using Firefox with the (properly configured) LinkStatus extension or using the NoScript extension with CSS :visited styling overriden by user-specific CSS configuration. Unfortunately, since proper fixes aren't obvious, a large majority of Internet users is oblivious to this problem and vulnerable to history detection.
In general, we fear that the attack will be more and more troublesome in the future; the number of visited links in a given time for each user will probably remain (roughly) constant, while detection speed will continue to rise, resulting in a pure exponential history detection speed-up if we don't solve the problem once and for all.