A security consultant from the United Kingdom has shown that a feature of the secure HTTPS Web Protocol can be turned into a tracking feature in some browsers.
HTTP Strict Transport Security (HSTS), as described in RFC 6797, is a mechanism that helps websites redirect users from the insecure version of HTTP to its encrypted version HTTPS. If a user enters http://www.google.com in their browser, HSTS will automatically send them to https://www.google.com.
The problem is, someone thought it might be annoying if User Agent - that is, your browser - had to go through a redirect every time a user writes http addresses instead of https. So the authors of HSTS created a mechanism for browsers to remember the HSTS policy of the websites you have visited.
That's exactly what Sam Greenhalgh feels like a super-cookie or super-cookie. His point of view is that a "pin" HSTS is set for each HTTPS redirect in the location you use, is unique to the user and the space, and is readable by your browser settings from any location.
"Once the number is saved, it could be read by other websites in the future. "Reading the number only requires testing whether or not requests for the same web addresses are redirected," says Greenhalgh.
Greenhalgh notes that some browsers allow HSTS flags to be cleared, so in Chrome, Firefox, and Opera the issue is somewhat mitigated (IE does not support HSTS).
Apple Safari does not seem to have any way of deleting HSTS flags from the user. HSTS flags continue to be synced with the iCloud service and will be restored immediately to the device that has been updated with new firmware. In this case the device can effectively be "branded", with indelible monitoring value that you have no way to delete. "