Links to attempt snooping
Explanation
This page tries to detect whether a browser is vulnerable to a privacy
attack: checking whether a page has been visited by detecting the different
rendering of visited and unvisited links.
There are four checks, of increasing obscurity:
- Check the color of the "a" element itself. On this page,
unvisited links are blue (#0000ff) and visited links are slightly less
blue (#0000fe). Probably inpossible to see with the naked eye, but
obvious to a computer.
- Check the color of an embedded "span" element. The color property
is inherited, so the embedded "span" element has the same color as the
surrounding "a" element. This also shows that merely making the color
of a link element unreadable is not a solution.
- Check the padding of the embedded "span" element. An unvisited
link has padding-right:1px and margin-right:0px. A visited link swaps
these. There is no visible difference, but the computer has no eyes,
it just compares 0 to 1.
- Check the background color of the following "span" element. Like
the color of the link, it differs only by one point of blue between
spans following a visited and an unvisited link. This doesn't work in IE
because of its lacking CSS2 support.
Lasse Reichstein Nielsen
Last modified: Sat Jun 11 16:50:04 Romance Daylight Time 2005