A security consultant from the United Kingdom has shown that a feature of the secure HTTPS Web Protocol can be turned into a tracking feature in some browsers.
HTTP Strict Transport Security (HSTS), as described in RFC 6797, is a mechanism that helps websites redirect users from thesafe version of HTTP in its encrypted version HTTPS. If a user enters http://www.google.com in their browser, HSTS will automatically send them to https://www.google.com.
The problem is, someone thought it might be annoying if the User Agent – that is, your browser – had to go through a redirect every time a user instead of https writes addresses with http. So the authors of HSTS created a mechanism to remember the browsers the HSTS policy of the websites you have visited.
That's exactly what Sam Greenhalgh feels like a super-cookie or super-cookie. His point of view is that a "pin" HSTS is set for each HTTPS redirect in the location you use, is unique to the user and the space, and is readable by your browser settings from any location.
"Once the number is saved, it could be read by other websites in the future. "Reading the number only requires testing whether or not requests for the same web addresses are redirected," says Greenhalgh.
Greenhalgh notes that some browsers allow HSTS flags to be cleared, and so in Chrome, the Firefox and Opera the issue is mitigated somewhat (IE does not support HSTS).
For Apple's Safari there doesn't seem to be any way deletionof HSTS flags by the user. HSTS flags continue to sync with the iCloud service and will be restored immediately on the flashed device. “In this case the device can effectively be 'branded', with indelible tracking value that you have no way of delete. "
