“Just Don’t Have Anything Worth Stealing”
One way to ensure you will not be the victim of theft is to simply not have anything to steal. Someone get your credit card number? Can’t happen if you don’t have one in the first place. Steal your login, or hundreds of confidential docs? Not if they never existed. The solution is to do nothing and have nothing, and then nothing bad can happen.
In real life, we don’t usually think that way. We like the advantages of having valuable things, whether they may be bank accounts, passwords, or documents. The truth is, security achieved by having nothing to steal is not really security at all.
Real security is having all that stuff and then actually protecting it.
Which brings me to a strange technical discussion that’s been bubbling around lately. It turns out that a feature built into the HTML standard allows any website to test your browser history against a set of “interesting” URLs and send that information back to their server, associated with your IP address and browser cookie, and of course your login if you have one on that site.
For example, Amazon could (hypothetically, and I’m not suggesting they are doing this) have a list of hundreds of book authors’ web sites and know whether you visit the blog or website of any of them. Your employer could invisibly test you from your home computer against any set of domains they might care to put in a list. This can all be done with javascript disabled (although who does that anyway), and with full security filters on, and on every browser on the market.
Here’s the part that baffles me. Most of the smart, technical people talking about this seem to think it’s pretty much OK. In fact, some blog add-ons for social networking links will peek at your history in order to know which social networks you are actively using.
The prevailing opinion is that it’s a fairly innocent quirk in the HTML standard, that the information gained isn’t really that private, and that you can always just use “private browsing”, clear your history, or turn off history completely. The widespread description of private browsing mode as “pr0n mode” has led to an almost Orwellian attitude that if you want your history to be private, you must be doing something wrong.
Meanwhile, modern browsers can do some really cool things with history. Chrome and Firefox both integrate history into the address bar suggest feature. Some browsers have history search, and Explorer has had a pretty decent tree view for a long time.
All this stuff is valuable, and it all works without sharing my history with the rendered HTML page. The proposed security solution of disabling history in order to protect it is a lot like protecting your documents or bank accounts by just not having any.
Technically, the fallacy lies here: Existing solutions (like private browsing) are trying to control how history gets into the browser, but no effort has been made to limit how history gets *out* of the browser. Here is what I said in a comment on Vitaly Sharovatov’s blog and has been quoted on Slashdot:
The idea that the only way to protect your history data is to give up keeping history at all seems broken to me. Just because the information is in the browser, and I may use it in other ways, doesn’t mean it has to be used to mark up the rendered HTML on sites I visit. There’s nothing that inextricably ties history to the browser’s rendering engine.
Chrome and the latest versions of Safari have thumbnail screens for your top recently visited sites. Again, cool stuff. But why have new browser features at all if you’ve already decided that reasonable people should all just turn them off?
So, please consider this an open letter to browser vendors. Either you intend for this private information to leak out with no controls, or you intend to fix the situation. Otherwise, your enhancements and features around history information are crippled at best, and pointless at worst.
