A security consultant from the United Kingdom has shown that a feature of the secure HTTPS Web Protocol can be turned into a tracking feature in some browsers.
The HTTP Strict Transport Security (HSTS), described in RFC 6797, is a mechanism that helps websites redirect users from the insecure version of HTTP to its encrypted version HTTPS. If a user enters http://www.google.com in their browser, HSTS will automatically send them to https://www.google.com.
The problem is, someone thought it might be annoying if the User Agent – that is, your browser – had to go through a redirect every time a user instead of https writes addresses with http. So the authors of HSTS created a mechanism to remember the browsers the HSTS policy of the websites you have visited.
That's exactly what Sam Greenhalgh feels like a super-cookie or super-cookie. The point is that an HSTS “pin” is set for each HTTPS redirect to the site you use, is unique to the user and site, and is readable from the settings of browser you from any location.
"Once the number is saved, it could be read by other websites in the future. "Reading the number only requires testing whether or not requests for the same web addresses are redirected," says Greenhalgh.
Greenhalgh notes that some browsers allow HSTS flags to be cleared, so in Chrome, Firefox, and Opera the issue is somewhat mitigated (IE does not support HSTS).
For Safari Apple doesn't seem to have any way for the user to clear the HSTS flags. HSTS flags continue to sync with iCloud and will be restored immediately on the flashed device. “In this case the device can effectively be 'branded', with an indelible tracking value that you have no way of erasing. "
