A consultant security from the United Kingdom demonstrated that a feature of the HTTPS secure web protocol can be turned into a tracking feature in some browsers.
HTTP Strict Transport Security (HSTS), as described in RFC 6797, is a mechanism that helps websites redirect them users from the insecure version of HTTP to its encrypted version HTTPS. If a user enters http://www.google.com in their browser, HSTS will automatically send them to https://www.google.com.
The problem is, that someone thought it might be annoying if the User Agent – that is, your browser – had to go through a redirect every time a user instead of https writes addresses with http. So the authors of HSTS created a mechanism for browsers to remember the HSTS policy of websites you've visited.
That's exactly what Sam Greenhalgh feels like a super-cookie or super-cookie. His point of view is that a "pin" HSTS is set for each HTTPS redirect in the location you use, is unique to the user and the space, and is readable by your browser settings from any location.
"Once the number is saved, it could be read by other websites in the future. "Reading the number only requires testing whether or not requests for the same web addresses are redirected," says Greenhalgh.
Greenhalgh notes that some browsers allow HSTS flags to be cleared, so in Chrome, Firefox, and Opera the issue is somewhat mitigated (IE does not support HSTS).
Για τον Safari της Apple δεν φαίνεται να υπάρχει κάποιος τρόπος διαγραφής των HSTS flags από το χρήστη. Τα HSTS flags συνεχίζουν να συγχρονίζονται με την υπηρεσία iCloud και θα αποκατασταθούν άμεσα στη συσκευή που έχει περαστεί νέο firmware. “Στην περίπτωση αυτή η συσκευή μπορεί αποτελεσματικά να είναι «επώνυμη», με ανεξίτηλη αξία παρακολούθησης που δεν έχετε κανέναν τρόπο να διαγράψετε. “
