The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniWeb > OmniWeb General
FAQ Members List Calendar Today's Posts

 
Is OmniWeb open to history sniffing/hijacking? Thread Tools Search this Thread Display Modes
Ward
Member
Ward's Avatar
2010-12-07, 08:10 AM
AP Technology Writer Jordan Robertson's article, Secretly visited porn? Some websites use browser flaw to expose where you've gone, hit the Internet last Sunday. The attention-grabbing title misses the focus of the report, harvesting browser histories of all visited sites. It's not just porn sites we should be concerned about.

From the article: "Current versions of the Firefox and Internet Explorer browsers still allow this, as do older versions of Chrome and Safari, the researchers said."

Does OmniWeb include the history sniffing protection like the latest releases of Chrome and Safari?

-- Ward

[submitted as formal feedback]
Post 1
 
dave_m
Omni
dave_m's Avatar
2010-12-07, 03:23 PM
This article has been making the rounds this week, but I haven't seen a link to a demonstration of the method, or information about which versions of WebKit older than the current Safari and Chrome shipping versions are affected. For what it's worth, the OmniWeb 5.11 sneaky peeks do include a more recent webkit version than 5.10.3.
Post 2
 
Ken Case
Omni
Ken Case's Avatar
2010-12-07, 05:28 PM
I haven't tested whether any specific version of OmniWeb is vulnerable to history sniffing, but it appears the technique used is to load up an invisible inline frame with a bunch of links and then test whether the links are rendered with the visited CSS property.

I'm not sure what specific steps Chrome and Safari have taken to block this, but I'm guessing that they disabled JavaScript's access to the CSS properties used to sniff out the visited status; if so, those fixes would be in the latest shipping WebKit which is now in OmniWeb 5.11.

(I haven't explored this, but it seems like it would be hard to solve this generally without blocking a lot of JavaScript/CSS functionality. For example, even if you can't access the visited state directly, you could presumably still use CSS to set the visited font size to something which would affect page layout, then inspect the layout to see whether a link was visited. Maybe that's still a vulnerability in Safari/Chrome, or maybe they've addressed this somehow?)

I should point out that OmniWeb lets you delete specific history items whenever you wish, which will defeat any sort of history sniffing: show your history (using History->Show History), select the items you wish to delete, then press the Delete key.
Last edited by Ken Case; 2010-12-07 at 05:33 PM..
Post 3
 
whpalmer4
Member
2010-12-07, 05:43 PM
A bit off the original track, but if you have a specific site you want to visit that you fear might do history sniffing, you could use Fluid to make a site-specific browser. First came disposable email addresses, now disposable browsers!
Post 4
 
 

« Previous Thread | Next Thread »



Similar Threads
Thread Thread Starter Forum Replies Last Post
Omniweb crash on open assassinator67 OmniWeb Bug Reports 7 2009-03-17 11:13 PM
Browser history sniffing. globetrotterdk OmniWeb General 0 2008-02-09 02:23 PM
Auto-open on a drop (à la OmniWeb) Ward OmniFocus 1 for Mac 6 2007-07-06 06:42 AM
Hijacking? drdbthompson OmniWeb General 4 2007-03-16 07:49 AM


All times are GMT -8. The time now is 11:53 AM.

Contact Us - The Omni Group Forums - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.