All web browsers are currently vulnerable to a CSS history leak which enables attackers to test if a particular site was visited by a user in the browser used to connect to the site.
The CSS leak makes use of a feature of CSS that colors visited and non-visited links in a different manner. All the attacker needs to do is to display a huge list of possible sites on a page and check how the link color looks like to see if sites have been visited.
Basically, a huge list of links is added to a page (it can be hidden). The browser uses a different color for visited links, and the script on the site just needs to check which of the links match that color to know that a user went to that site before.
The scripts are currently testing more than 200K URLs per minute which should be enough to create a solid profile of nearly any web user.
Some factors mitigate the problem like clearing the history regularly.
Mozilla developers have now come up with a solution for the problem that applies three changes to the way links are styled in the web browser.
Mozilla Plugs The CSS History Leak
The Mozilla blog has a fairly long article up with technical detailsm as does David Baron whose solution was picked to plug the CSS History leak in the web browser.
The three changes take care of layout-based attacks, timing attacks, and computed style attacks.
- layout-based attacks: Mozilla decided to limit the styling that can be done to visited links.
- timing attacks: eliminates attacks that distinguish visited from unvisited links by measuring the time it takes to resolve those.
- computed style attacks: returns the unvisited style if a script attempts to get the computed style of a link.
It is not yet clear when this will make its way into the Firefox web browser but it is likely that it will be implemented soon.
Users who do not want to wait can protect their computer’s from the leak by setting “layout.css.visited_links_enabled option in about:config to false” which has the consequence that no styling for visited links is displayed in the web browser.
Users of all web browsers who want to test what a script could find out about their surfing habits can visit the Start Panic website.
Update:
All modern browsers are protected against these kinds of attacks now.
The website mentioned in the last sentence should not display any sites that you have visited in the past if you are using a modern web browser.
There is no need anymore to restrict the styling of visited links in your web browser, but you can still do so if you want.