Pharyngula

Posted by: Andyo | December 2, 2010 10:49 PM

Yay, at the risk of sparking another browser fanboy war, there's always a tool to block any behavior with Firefox. So I don't mind much when it's using 500 MB of RAM (!).

Posted by: formosus | December 2, 2010 10:54 PM

"I came here to chew bubble gum and kick ass. And I'm all out of bubble gum"

Sorry, couldn't resist. But this:

Creationist Groupies
"Christian" users

Gives me the impression that the higher ups at AiG (or possibly just this coder) take a rather cynical view of their audience. Could it be that they're just using religion as an easy way to make a buck off the rubes? Perhaps their section of arguments that creationists shouldn't use is intended to keep the movement alive (and money flowing) as long as possible.

Posted by: Shadowbright | December 2, 2010 10:58 PM

Not compatible with the latest version of Firefox, apparently. :( Oh well.

Posted by: Andyo | December 2, 2010 11:08 PM

#5, as I said, there's always a way to do anything with FF. The Nightly Tester tools will let you install any add-ons. Most of the current add-ons that give you a version warning work just fine anyway.

That said, I installed this and the options button is greyed out. I don't know if the thing is actually working.

Posted by: clare7 | December 2, 2010 11:10 PM

Anyone know where there might be such blockers compatible with the latest Firefox version?

Posted by: Cuttlefish, OM, CR | December 2, 2010 11:17 PM

I hate them purely because they *still* (bastards!) show up ahead of me when someone googles "cuttlefish".

This news is merely icing on the hate-cake.

Posted by: yorrike | December 2, 2010 11:20 PM

For those wondering, this history hijacking doesn't affect Google Chrome, Safari or other Webkit-based browsers. So if you're using these browsers, you're already protected.

Posted by: Crazyharp81602 | December 2, 2010 11:28 PM

Dang! I can't install the add-ons! :( They're not compatible with the latest version of Firefox, which is exactly what I'm using right now unfortunately! Oh well, eventually they'll get it updated and I can be able to install them.

Posted by: JohnnieCanuck | December 2, 2010 11:41 PM

Tell me more about how they do this. Is there a specific html query for the link visited status or are they running a JavaScript?

Posted by: dannyfritz | December 2, 2010 11:53 PM

info on the exploit: http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/

You can install any Firefox extension on any version simply by opening it up with something like WinRAR and modifying install.rdf with notepad to allow it to install on your version.

But besides, they fixed the css:visited exploit in Firefox beta 4

And it can be prevented in ff3.5 and up with about:config Layout.css.visited_links_enabled false

Posted by: ThirdMonkey | December 3, 2010 12:00 AM

Clever.
What they are doing here is adding links to a bunch of sites to the page and making them invisible to you. Then they loop through them and check the color of the link. Visited links have a different color then unvisited. So they are able to tell if you have visited any of the links they have added.
That's all they can tell however.

Then in true creationist/christian fashion they make a bunch of baseless assumptions about who would or wouldn't visit a particular site... ever.

So for example. I would be a evolution news following, community using, online shopping, media junky child who also visits "Other" sites.

Completely useless.

Posted by: Andyo | December 3, 2010 12:05 AM

#18 UXO

LOL, I think you're getting the reverse situation. That version (3.0) is for a future version of FF (4.0). If you're running FF 3.6 you should get 2.0.3.

Posted by: ThirdMonkey | December 3, 2010 12:10 AM

*snicker*
Leave it to a drunk programmer to analyze the code and post before reading any of the other comments...

But what's particularly funny to me is that they left their categorization comments in the code.

Posted by: Steven Mading | December 3, 2010 12:24 AM

The exploit is, begrudgingly, a clever one. No browser writer would be dumb enough to include a feature to let a site query whether or not other sites were visited, but to simply hijack the feature where it colors visited links, and just query for what color they were rendered in, that's pretty clever.

But the obvious question I then have to ask is... why is the browser taking the time to calculate the color of invisible text? Seems like a waste. "I have now determined that this link would have been purple if it wasn't invisible." Perhaps it's because they don't want to go through the effort to calculate that on the fly later on when some other bit of DOM-manipulating Javascript code un-hides the content.

Posted by: MadScientist | December 3, 2010 12:41 AM

Why block the data theft code when you can wipe the history then go visit the pope's website, a dozen or so other religious crazy websites, then visit AiG.

Posted by: wmdkitty#83021 | December 3, 2010 12:49 AM

SafeCache and SafeHistory can both be "tweaked" to work with later versions of Firefox. Instructions are in the comments here

Posted by: timepiece | December 3, 2010 12:54 AM

Ah yes, that code sure does look evil, with those rows and characters and punctuation and such, but may I direct your attention to this bit here?

"when Ken Ham visits, for instance, they can scan his history and see what kind of preferences he has, and know to quickly entice him with pictures of naked piglets."

Posted by:   | December 3, 2010 1:09 AM

They're ... using code that grabs your entire browsing history so they can monitor every site you've visited.

Incorrect. This method is not quite that sinister.

Posted by: CaptainBlack | December 3, 2010 1:33 AM

To avoid any but the history you want a site to see being harvested you could always keep a second (or third, or ..) browser, with the history set to be erased every time you exit, specially for the occasions. There are plenty of no-install browser versions that can be kept for this purpose.

There are portable versions of Firefox, Opera and Chrome. These do not need installation and so can cohabit with your usual browser without mutual interference.

CB

Posted by: https://me.yahoo.com/a/SaqGVG0xvJEQVwURVamS3DTCdvov0BLhXK1jOsYPPJQ-#b4893 | December 3, 2010 1:45 AM

I fuckin' hate to go to the AiG website. I'd rather use steel wool on my eyeballs.

Problem solved.

MikeM

Posted by: https://me.yahoo.com/a/Cz9byV9pwviASQL_pos83OD7GI15XlNQ7CYf4kXm7n0-#6cdf4 | December 3, 2010 1:59 AM

Hm. It's worrying. Sure, they're only sniffing the browser history now (from what I can tell, I'm a novice at best) but it could potentially be used to filter content in the future, or do a lot of other things.

So, in light of this...what exactly does Chrome have that Firefox doesn't?
I do find Chrome a bit difficult to use (the layout is sort of weird to me and I can never find anything, but I'll get used to it eventually) but I really can't think of any major feature differences between the two. They both have RSS capabilities, they both have customisable search bars, and as far as I know there aren't any sites that won't display properly in Chrome.

*And also in light of the continuing resource-hogging of Firefox - my PC isn't struggling with it right now, but if it keeps up I'm not sure how well 2GB of RAM will last. I do tend to over-tax my PC horribly though - I usually run World of Warcraft, iTunes, Last.fm with scrobbling, MS OneNote, Firefox with 5-6 tabs open, Ventrilo and a distributed computing program all at the same time. I've had more than one complete hang in the last couple of weeks, which tells me that my PC is on its last legs.
However, my PC is also four years old and hasn't had a single hardware upgrade since then so I'm probably bringing this on myself.

Posted by: Draken | December 3, 2010 2:56 AM

I've been on most of the sites listed and I bet many of us have. Without further correlations your browser history tells them nothing much interesting, e.g. whether you're with, or against them.

But now you understand why AiG never, ever links to Pharyngula directly; it would seduce their own target group to pollute their browsing history and render it even more useless.

Another phenomenon that's at least as eerie is browser fingerprinting which, in combination with history sniffing and IP logging, makes it almost-possible to follow your movements.

Most preventive measures require that you sacrifice (considerably) convenience for security. In order to resolve the situation more satisfyingly, browser manufacturers and W3C members would need to sit down and have a long, hard rethinking of browser technologies.

Posted by: Rorschach | December 3, 2010 3:50 AM

These scripts shouldn't work in FF 4, and in older versions with private browsing enabled, or cache set to 0 and history disabled, as far as I can see.
And that's not even talking about operating systems...;)

Posted by: darius | December 3, 2010 4:13 AM

Menyambal # 40:

Private browsing should only make a difference if you clear your history, then use it for ALL websites. It only affects what gets stored (history, cookies, etc.) not what is already there.

Posted by: TC48 | December 3, 2010 4:21 AM

In Firefox, type about:config in your address bar and add a new 'Boolean' called extensions.checkCompatibility.3.6 (or 3.0, 3.5, whatever version you're using). It should allow you to use almost any extension (at your own risk).

More info.

Posted by: lars.melander | December 3, 2010 4:24 AM

I use Opera. Problem solved.

Posted by: John Morales | December 3, 2010 4:30 AM

Buttered Potato,

Every sender of email included in PZ's "I get email" had to visit this website at least once, after all.

Care to try to sustain this claim?

Posted by: Buttered Potato | December 3, 2010 5:26 AM

@ John Morales, #53:

In meant insofar as they're responding to a claim he made, so it follows they went here to read it before writing to him.

Well, now that I think of it, many just spam him without ever coming here, if they already have his email address. Eh. It's early in the morn' and I'm not too coherent.

Posted by: John Morales | December 3, 2010 5:48 AM

Buttered Potato, thank you.

Posted by: Duckbilled Platypus | December 3, 2010 6:24 AM

I got a feeling the coder isn't the biggest fan of AiG.

Got to find me a few websites to fill my history with before I visit them next time. Does anyone know of any atheist gay porn sites, just to super tick them off?

Posted by: Phil | December 3, 2010 6:53 AM

One suggestion for all the Firefox users: NoScript. That should solve it.

Posted by: Naked Bunny with a Whip | December 3, 2010 7:14 AM

I use Opera. Problem solved.

I use Opera, too, but I don't see how that matters. This isn't a browser-specific exploit, it's based on Javascript's typically wide-open access to the document object model.

Posted by: Kevin Anthoney | December 3, 2010 7:25 AM

#47

Private browsing should only make a difference if you clear your history, then use it for ALL websites. It only affects what gets stored (history, cookies, etc.) not what is already there.

Really? Then why does Amazon forget who I am if I visit it under private browsing?

Posted by: David Marjanović | December 3, 2010 7:29 AM

Blockquoet fail. I don't think I've made that particular typo ever before.

There are just too many ways to misspell "blockquote"!

Anyway, I think whoever wrote that code is a liberal Christian who secretly despises the cretinists.

Posted by: Erulóra (formerly KOPD) | December 3, 2010 7:40 AM

The developer may not have had much choice. If my boss lands a contract with AiG. My options are to do the work or find new employment.

Posted by: semopcoes | December 3, 2010 8:14 AM

"Thou shalt not steal?"

Posted by:   | December 3, 2010 8:34 AM

Oh come on, we all know there's only one commandment:

"Thou shalt ever be a hypocritical piece of sewer-dwelling scumeth, and go out and denyeth the rights of whosoever shall dare challenge or disagreeth with thou."

On a whole different note, I see lots of NoScript fans here. I've tried NoScript and RequestPolicy, and they both suck. They may give you an increased sense of privacy, but they also suck up hours of your time. You spend more damned time allowing this and configuring that than you do actually enjoying material on the web. I don't understand this approach at all. I recently had a really bad incident with NoScript whereby it was breaking a web page even when it was disabled, because of how it changed script-related settings in prefs.js. Before realizing what was wrong, I went off like an asshole, claiming the web site had bugs.

Posted by: toadslick | December 3, 2010 9:03 AM

Clever code, but horribly written. The title and URL for each link should be moved to a hash, eliminating the need to retype the

<a href='...'>...</a>" +

Posted by: stvs | December 3, 2010 10:17 AM

Unfortunately, the all the privacy tools mentioned here are aimed at a single exploit. Google Panopticlick, whattheinternetknowsaboutyou, and supercookies to see what information you're leaking and all the various exploits for it. Once the single hole mentioned above is plugged, there's a sieve of others. See the WSJ series on using browsers for snooping, e.g. Microsoft Quashed Effort to Boost Online Privacy . Let's just say not to trust any MS products to protect any of your personal information. But it's not just MS, all major players are in a race for the bottom of personal privacy to capture the most targeted advertising revenue.

The counters range from simple NoScript and CSS control via layout.css.visited_links_enabled as mentioned above, but more importantly and effectively TACO, BetterPrivacy, and Adobe Flash Settings to control and delete Flash "supercookies" (which are used to follow you around whether or not you delete your ordinary cookies, history, and cache), and disabling "Third Party Cookies".

Even better to use a local Squid->Privoxy proxy chain for everything, configured for privacy:

header_access From deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all

Posted by: toth | December 3, 2010 10:43 AM

Wow, what a hack. Checking based on link color? The programmer in me shudders.

Also, I admit I don't know the intricacies of HTML rendering in the various engines, but I would have assumed that CSS would not be applied (at least things like color) if something is rendered with display: none. Live and learn, I guess.

Posted by: newbery.myopenid.com | December 3, 2010 10:58 AM

Not sure if this has been pointed out yet but the code just records the data and pushes it to google analytics... no filtering going on. The very last line calling pageTracker is a standard google analytics call.

Not that this mitigates the privacy issue.

I tried to see the code in context to confirm this but the aig homepage doesn't have it. Either they dropped this really quick or the code is on another page. Shrug.

Posted by: Tim Buchanan | December 3, 2010 11:25 AM

What great timing! This from Science Daily:

Your Web surfing history is accessible

Posted by: eric.kinateder | December 3, 2010 12:02 PM

A shorter way to do it (if you're already using jQuery) would be:

$("#statExternalLinks a:visited").each(function() {
var curSite = $(this).text();
if (userVars.length > 0) userVars += "|";
userVars += curSite;
});

It has interesting implications for tracking what sites your visitors have also been to. You could conditionally use the information to create targeted advertising or content.

For this specific script, they're just sending the information to the Google Site Analytics tracking page for their site:

pagetracker.setvar()

Posted by: DaveH | December 3, 2010 2:27 PM

Just a comment on the whole "working for the enemy" thing:

If I owned a webpage design company, I would gladly take contracts from groups like AiG. And assign them to a special coding team who all entered events like the Underhanded C Contest on a regular basis.

Posted by: cairne.morane | December 3, 2010 3:49 PM

Meh. I saw this 'hack' posted on one of the tech blogs I visit and frankly it's a non-event. I reacted the same way I presume PZ did to the arsenic life story.

If you don't have a plugin like SafeHistory installed and you're not using private browsing then you should basically assume that any site you visit can know where you've been since the last time you cleared your history and cookies.

As others have pointed out the list is not really categorized - those are just comments. The code above makes no real attempt to distinguish between www.amazon.com and www.richarddawkins.net.

Secondly this trick only works for the base site address exactly as typed above. The code above for example couldn't tell if you had visited www.amazon.com?product=12inchdildos. The sheer possible number of links, even on a medium sized site, would make any detailed research using this approach impractical.

Finally I'll point that changing the color of clicked and un-clicked links will likely not work since the CSS setting would override your local browser setting.

Mike.

Posted by: SlantedScience | December 3, 2010 6:39 PM

Creation Museum and Joel Osteen in "Other"!

Awesome!!!!!!!

Posted by: A Bad Idea (♀) | December 4, 2010 6:49 PM

I consider checking anything other than the referrer to be unacceptably rude towards users... but I do find it strange/amusing that they're checking for the movie trailers page at Apple... and that the coder was apparently shanghaied into this.

Thankfully, they are almost certainly only doing demographics with this, rather than content filtering.

Posted by: chenxin | December 7, 2010 6:07 AM

NFL Jerseys Cheap NFL Jerseys Wholesale NFL Jerseys NHL Jerseys Cheap NHL Jerseys Cheap Jerseys Wholesale Jerseys Wholesale NHL Jerseys MLB Jerseys Cheap MLB Jerseys Wholesale MLB Jerseys http://www.nfl2shop.com

Posted by: Rorschach | December 12, 2010 3:15 AM

Congratulations, we did not find anything in this category in your browser history. Feel free to try our other browser history tests.

That'll do for now.