If there’s one thing websites love to do it’s track their users. Now, it looks like some browsers can even be tracked when they’re in private or incognito mode. Sam Greenhalgh of UK-based RadicalResearch recently published a blog post with a proof-of-concept called ”HSTS Super Cookies.” Greenhalgh shows how a crafty website could still track users online even if they’ve enabled a privacy-cloaking setting.
The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn’t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.
Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite’s servers can then reply to John’s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John’s browser will use HTTPS by default.
The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you’re in private or normal mode – meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.
When in private browsing or incognito mode your browser won’t store data such as cookies and browsing history once the private browsing session has ended – unless it’s tricked into doing so by a Super Cookie.
The story behind the story: Although Greenhalgh’s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert “RSnake” Hansen raised the issue on his blog ha.ckers.org in 2010.
Although this issue has been known for some time it’s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.
Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.
HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.
As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It’s because IE doesn’t support HSTS at all.