(December 4, 2010 at 3:05 pm)tackattack Wrote: Why is it that the information in the history of your browser supposed to be private? Wouldn't that be the same as someone following you around for a few days finding out what store you shopped at. Yes it's creepy, but how is where you go in any way private? If I put a camera on every car and then designed a program that compiled all of that video and did facial recognition to get a detailed list of which faces went where and when, would that be in violation?Comparing the gathering of web browser history to following someone around to see which shops they go to would be valid if web browsing was purely a recreational activity. It is not however, since many things we do online are supposed to be secure, the big example being online banking.
Consider a site that knows your email address (which is not unusual, given that most of us enter it when we register), and records which banking websites you visit by using the attack outlined in the paper. A clever attacker could now launch a phishing attack on you, by sending you an email claiming to be from your bank, and directing you to a page which looks exactly like your bank should look. A flaw in SSL handling in some popular browsers (http://thoughtcrime.org/papers/null-prefix-attacks.pdf) means that this can be done in a very convincing way. Once you log in, the attacker has your username and password, and full access to your bank account.
This kind of attack could work on any site that contains sensitive data about you, ranging from Amazon to PayPal, or even to Facebook. So really, if you want a good comparison, it would be a criminal following you around wherever you went, looking at what PIN number you use when you access your bank, and then stealing your bank cards.
Privacy on the web is very important, not just because it is a civil liberty, but because it is becoming much easier to commit crimes online than it is in the "real world".
