Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CSS can style visited links differently than unvisited links. From a security perspective, this is a problem because a web page can review a user's complete history this way for other sites. This post provides a summary of the problem and proposes a solution.

Website authors can use the getComputedStyle function to determine if a link has been visited or not. An easy way to fix this would be to make this API lie. In practice, this approach doesn't work because the CSS styling itself can vary, including colors, spacing, and other elements.

To fix the above issue, a limitation would need to be put in place to limit the ability to style pages on whether links were visitd or not. Many CSS selectors will always act as if they've been visited. Additionally, the CSS properties applied to links should be limited to a few select options.

A few limitations of this approach are discussed, highlighting the importance of the mitigating threat model for these types of features. First, this is NOT intended to resolve attacks that require user interaction via clicks. Second, fine-grained timing attacks - they hope this prevents most practical ones. Finally, this doesn't intend to avoid browser cache-based attacks.

Overall, a great post on a proposed browser mitigation for a well-known attack vector while keeping as much functionality as possible.