:visited links privacy issue revisited
This is a follow up to my old post about
:visited links privacy issue. I thought the best solution for this issue would be educating users about the problem and promoting Private mode as a solution. I think I was wrong. See below why.
It’s worthy to note that all browsers now support Private mode – IE8, Fx, Opera, Safari, Chrome. Opera 10.50 can even open a “private” tab in the existing window. Flash player did a good catch-up – with its version 10.1 release flash cookies are not stored when a browser runs in the Private mode (so updating to latest flash player is highly recommended if you use Private mode).
But browser vendors clearly failed to promote this feature. I asked few general internet users, nobody even knew about Private browsing mode in their browser. (However, most of my interviewees knew about HTTPS, so security concerns weren’t completely new to them). If my small poll doesn’t seem a representative sample for you, do your own and share results!
So people are obviously not aware that their history data can be “obtained” by anyone.
David Baron thought this was unacceptable and started working on a patch for Gecko which targets most of the “attack vectors” (see his blogpost). Basically, Gecko will have two style contexts for a visited link – one with rules applied for a
:visited link, and one with rules not applied – as if the link wasn’t visited. GetComputedStyle will take the first style context, and therefore getComputedStyle check for a CSS value of the rule set for
:visited pseudoclass selector will fail – it will think the link has default or specified in
:link selector rules applied. But when browser will do actual styling, it will use the second styling context, but will apply only a set of properties which are considered safe (
outline-color). This approach looks nice and will give users some protection, but as it was pointed by Robert O’Callahan here, it will fail if it becomes possible to read the actual color of the link after actual styling is done. So this approach has to be applied very carefully – for example, if Canvas drawWindow object was available not only to Fx extensions, it would mean that attacker would still be able to get resulting color from the second styling context. I really hope this never happens.
So I was wrong because I thought that no browser vendor would go and fix this technically, while it seems quite doable and thanks to David Baron, it will appear in Gecko. With careful integration, this approach will protect from most of the possible attacks and will still provide a way for authors to make visited and not visited links distinguishable in their designs.
We’ll now see what other browser vendors will do, and this will become especially interesting if Firefox does a good marketing campaign from this feature.