My first reaction when I read the title was that there is no way I'm giving my browser history to some arbitrary website.

But I see you're using the :visited pseudo-class. That's actually quite genius!

Right, so this site uses CSS selectors to show the user a different colour for each site they've visited.

In the past the site would also be able to access the different style information rendered by the browser and use it to find out which sites you'd visited. Luckily that privacy leak was patched up a while ago: https://blog.mozilla.org/security/2010/03/31/plugging-the-cs...

Now you'd have to do something like use timing attacks on the browser's cache... :)

Or, since you're encouraged to hover or click on each highlighted block, Javascript could leak your information once you interact. There's no protection from the human-in-the-loop leaking their own privacy.

There are some false negatives here as they're linked to without the www. I haven't visited https://okcupid.com but I have visited https://www.okcupid.com. Therefore, it doesn't have a red dot when it should.

For a temporary fixed, I prepend 'www.' to all the links. It could be improved by having all the related frequently-used url of the sites listed e.g. other subdomains. Thanks!

This breaks where the link is a subdomain e.g., www.news.ycombinator.com

Fixed it. Thanks!

Cool usecase for the css history feature :)

@author: Some sites are listed multiple times, like getbootstrap.com

Agreed, nice job!

Blockchain.info and coinbase.com also appear to be dupes in my listing.

Removed the duplicate sites. Thank you!

Ugh I didn't realize clicking randomly on the heart would take me to a porn site. The only red for me was HN.

HN is in the list? I'm here all the time and I don't see a red HN dot.

It's because he broke it. He changed it so it puts www in front of all domains. But that won't work for all domains

Ah, okay.

Mouse-based design. Not ideal for me on a mobile phone where I have no mouse!

This sounds like a NSFW game of click roulette.

Interestingly, news.ycombinator.com is showing as red.

One thing I didn't see discussed at all (mind you, there were thousands of comments on various threads) was crowd sourcing the search for exploited domains in people's browser cache (as opposed to search engine and archive caches).

If I understand this, it "simply" matches against the already known list of known to have leaked domains. Right? But what about potential other leaks that didn't get cached by search engines but that might live in people's caches??

Neat.

FYI there are a bunch of duplicates, like Cloudflare itself, Hacker News, Medium, Codepen (just a few of the ones I've actually visited)

I noticed for me discord's site and laravel was also duplicated

Removed the duplicate ones. Thanks!

One of the included sites is agilebits.com, but they're not actually vulnerable (all of the important traffic there is encrypted separately so even with TLS broken their users aren't vulnerable).

Why Cloudbleed and not Cloudburst? Seems like a missed opportunity (though I understand it's a reference to Heartbleed.)

Would be interesting to see an extension with browser history access to search through your history for actual leaked data.

I've been to hackernews and transferwise, but I don't see red blocks for them.

Fixed the url of hacker news and changed the url of transferwise. Thanks!

I'm not getting any different colours, in Chrome 56.