Mozilla to Fix 8-Year Old Browser History Leak Issue

Mozilla has announced that it is planning to finally fix a privacy issue known as browsing history leaking, which has been around since at least 2002. The changes will limit the styling options for visited links and prevent JavaScript from obtaining the computed style of a link.

CSS history sniffing is a type of attack in which a Web page is capable of determining what sites you visited in the past. Theoretically, this is not possible because of a bug in the actual browsers, but rather because of a design flaw in the CSS specification, which calls for different styling of visited links.

Various implementations of the CSS history hack have been developed over the years, Mozilla having this issue marked as P1 (major problem) in its bug tracking system since as far back as 2002. However, a definitive solution would involve radical measures such as disabling visited link styling entirely, which would hurt usability and break an important aspect of the Web experience.

Because of this, Mozilla's fix intends to only tackle the most dangerous attacks. "The biggest threats here are the high-bandwidth techniques, or those that extract lots of information from users’ browsers quickly. These are particularly worrisome since they enable not only very focused attacks, but also the widespread brute-force attacks that are, in general, more useful to a variety of attackers," Sid Stamm of Mozilla Security explains.

First of all, the upcoming changes will limit the styling of visited links (a:visited in CSS) to color only. Then a series of layout engine modifications will resolve the layout time differences for visited and unvisited links, so that it can't be used for the so called timing attacks. Additionally, JavaScript functions such as getComputedStyle(), which are critical to the success of these hacks, will be prevented from determining a link's style, at the browser level.

However, not everyone is so enthusiastic about this fix as Mozilla. "You’d think I’d be doing back flips since we’re finally going to see an end to this. Well… the problem is we won’t," web security expert Robert "RSnake" Hansen commented on his blog. "The first problem is that this is only Mozilla - so we’re talking about a minority of all users. Secondly, of all the hacks we have at our disposal, this is just an information leakage. […] There are still other timing based attacks to get the same information. So while it’s great that we’re finally fixing an 8 year old P1 bug, it’s not like the problem is gone, we’ve just removed one vector," the reputed security researcher explained.