Hacker News new | ask | show | jobs
by tombrossman 4248 days ago
I would prefer not to as I find this useful. What I'm really trying to determine is whether this setting alone is responsible for leaking history metadata.

I'm using Firefox with NoScript and I have Firefox set to clear everything except saved passwords when I close it (which I do frequently). I'm hopeful that is good enough because it looks like JavaScript is needed for the leak to occur, right?
1 comments
coniptor 4247 days ago
The site has been down for years but you can find it on The Internet Archive. wtikay.com whattheinternetknowsaboutyou.com

There are some other sites that use the same or slightly different tactics to throw everything against the wall and see what sticks. They read your history right out or your cache using timing or logic to know if you've already visited the sites in question they want to query for. They also read the color values of the links to know if you've visited that link before. This was a known issue that someone brought up 10+ years, no 15+ years ago before we had Firefox and they were working on the not production ready Gecko codebase and still just trying to pass early CSS acid tests. Gecko builds early on had this issue and it was raised and to this day no one has fixed it.

No, I'm not a coder/developer as yet and it is over my head and I don't have the time to research it to devise a solution and send a patch upstream. If I could I have serious doubts it would be mainlined. I have the impression that many in the mozilla organization are for improving security and privacy but that some of them are MORE than happy to sacrifice our privacy for money or simply don't take things as seriously as others.

I found a bug report in bugzilla using google that I can no longer turn up regarding silent basic authentication for tracking: http://user:trackingcookieaspassword@example.com/possiblymor... This is proven and observable at http://ip-check.info. In this bug report someone I believe who works with them submitted a test xpi authtest.xpi to negate/nullify/disable this exploit between sites and only allow it on the same visited domain.

The bug report can no longer be found and all current versions of firefox are still susceptible.

link