Kevin Burton launched Tailrank 2.0 today, a welcome improvement over the previous iteration.
As has been reported, the improvements in the ranking algorithm put it closer to sharing TechMeme’s lunch, though I still find TechMeme slightly more readable. Still, Kevin’s done some great work and should be commended on his essentially solitary efforts banging out code at Coffee to the People.
Now, what hasn’t been reported on is something a bit more… shall we say… scandalous. It’s not really that bad, I guess, but does hover between genius and spyware.
What I’m talking about is the RSS autodiscovery technique that Kevin’s created for populating your personal feed list (my result from Safari — a browser I barely use — is above).
Here’s how it works (it’s actually pretty simple so get ready for some geeky stuff…!):
When you visit the import page and click the “Auto Configure”, Tailrank loads a page in an invisible iframe that contains some JavaScript, basic CSS and a long list of links (over 400K worth, actually).
The JavaScript does something really clever to determine if the links should be added to your subscription list: by setting the style of visited links to be relative (as opposed to having no style at all) and then testing to see which of the provided list of links have that style, Kevin’s able to effectively rummage through your browser history and collect a list of blogs that you’ve previously visited (at least since you last cleared your cache).
Want to try it? I set up a demo that should detect at least one site (if you’re not reading this in a feed reader — if you are, visit my blog and then try it).
Obviously this technique, coupled with an invisible AJAX script, could be a pretty potent tool for gathering information about what sites folks have visited (like banking sites, for example) if it automatically ran when the page first loaded (fortunately you have to click a button to start the script on Tailrank).
Personally I think this trick is pretty cool — and a very innovative way to gather information about someone’s reading habits based on their actual behavior (if they’re the only ones using the browser, of course). I don’t like, however, that Kevin hasn’t disclosed his methodology on the Import page considering that, as early as 2002, a similar technique was discussed as being a browser security hole and has since come up repeatedly.
In any case, this is probably the best use of this tactic I’ve seen and in less capable or more devious hands, could be a pretty dangerous trick.
Still, the rest of Kevin’s work is rather remarkable and worth a look — especially his tools page. As for the auto-importer, well, I’ll leave it up to you to decide whether to use it.
Factory Joe 
Just a few notes….
It would only be nefarious if we were to do something evil with it and /or automatically stole the information. We’re trying to build a better experience for our customers which I think at the end of the day is just good karma.
Also note that we’re importing from a whitelist so really the only thing we could do is find out that you’re reading feedblog or gigaom or something.
I’ll follow up to see if there are more comments but it’s sleep time for me 🙂
Kevin
I actually think it’s pretty cool — but that’s because I know you. 😉
I would watch this issue and if no one else picks it up, you’re in the clear. If they do, it’s not necessarily your issue, since this is something that’s been, as you pointed out, discussed before with no proper outcome.
When this technique was posted to Digg, using a wonderfully inaccurate and scandalous title, it got a LOT of attention.
http://digg.com/security/A_CSS_Hack_to_steal_your_browser_history_in_Firefox
Obviously, it’s clever but a)not css and b)doesn’t steal your history…just does a compare against a whitelist.
kudos to these guys for this implementation. But I wouldn’t be surprised to get some backlash, more from people who don’t understand than anything else.
Yeah….. It’s a technology similar to crypto….. it can be used for good AND evil.
I just use my powers for good though 🙂