This will make it feel even more like a real captcha by making it impossible to select the text. (Right now you can select it to see the invisible letters)
Works now, but you might want to block pointer events too, for example I can drag with the mouse from the captcha into the text area below to get a URL.
Quite scarier than the TinSnail demo, but it must have a much lower bandwidth. The source only has three links and you will probably see all three if you have caching turned on. I guess if you're looking for one or two specific sites, it doesn't matter.
Brilliant. getComputedStyle used to give away the color of a link, so at some time this attack was trivial: you didn't need any user input, as a blue link meant :unvisited, and a purple one meant :visited.
Replacing getComputedStyle with user input ("is this letter black or transparent?") is definitely brilliant.
You might want to check out the research paper "I Still Know What You Visited Last Summer Leaking browsing history via user interaction and side channel attacks" ( http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010.... ). The paper describes several similar (if not the same) attacks.
That would break aggregator sites like HN and Reddit (although really they should really be maintaining the visit history themselves, as they do with Reddit Gold users).
I tried to use the history tracking that comes with Reddit Gold for about a week and it was virtually useless. After browsing on my phone and two computers only like 1 in 10 of the links would correctly show up as purple on the other devices (even just PC to PC it didn't work).
Edit: I should mention I bought Reddit Gold just for this feature, so I was optimistic that it'd work.
Nope, if you fire the AJAX request directly on the onclick event, chances are high it will not be submitted/processed before the browser navigates away...
There has to be a better way to indicate :visited, using browser chrome.
Perhaps only showing the visited info on mouseover (as a cursor style),
or limiting it to cases where the style is a color-change that is not nearly the same as the background color, in a DOM element that is front-most z-index... (but this probably can't be computed reliably...)
or just defaulting to disabling, until the user approves the domain or path (NoScript-esque)
It's site's you've visited at any time in the past (since the cache was cleared). Anything that would normally show up as purple rather than blue on regular websites.
I took me a minute to figure out, but that hard coded list is the list of URLs it checks to see if you've visited. Try opening a private browser window.
Interesting but this method is limited to the URLs that you list in the javascript (in this case linklist.js). More of a specific validation to see if the user has visited the links you provide rather than a total data scrape.
To full scrape the users history you would have to list every URL in existence.
For ad related purposes, it makes it easy to see if you've visited competitors' websites (3-5 of them), therefore meaning that you're actively looking for business, instead of just bouncing on the page with no intent of buying anything.
There are a lot of attacks like this, and it's serious enough that browsers attempt to mitigate them by e.g. preventing JavaScript from reading out the computed properties of a visited link element.
Three sites is obviously too small to do much, but if you splat in a list bigger list of popular web sites you can learn a lot about your visitors.
Would have been a greater one if linklist.js contained links to more sites than Github, Reddit and Hackernews... I mean I could have guessed those by assuming that I visited that page via Hackernews.
The submitted title was "Show HN: Tricking the user to access his history using CSS and captchas". We finessed the pronoun issue in this case by just taking "his" out.
How is this anything but a non-sequitur? Personal attacks aren't ungrammatical and racial slurs aren't ungrammatical. Yelling "FIRST!" at the top of a comment thread probably isn't ungrammatical either. Like using 'he' for a generic user, each behavior is obnoxious (albeit in different ways and with different scales).
It is true that the use of male pronouns in gender-neutral context has historically been considered correct and is still considered correct by many. It is, however, generally discouraged because it only serves to reinforce the very real and problematic implication of male as the "default" sex.
Incorrect. Grammar, like all aspects of language, are socially generated. Currently, the shift has been to move towards 'she' or 'they' as a default gender.
Saying "'he' is grammatically correct" is like saying "C++ is the proper programming language." It's all about usage.
