A security consultant from the United Kingdom has shown that a feature of the secure HTTPS Web Protocol can be turned into a tracking feature in some browsers.
HTTP Strict Transport Security (HSTS), as described in RFC 6797, is a mechanism that helps websites redirect users from the insecure version of HTTP to its encrypted version HTTPS. If a user enters http://www.google.com in their browser, HSTS will automatically send them to https://www.google.com.
Το πρόβλημα είναι, ότι κάποιος σκέφτηκε ότι θα μπορούσε να είναι ενοχλητικό εάν το User Agent – δηλαδή, το πρόγραμμα περιήγησής σας – έπρεπε να περνάει από μια ανακατεύθυνση κάθε φορά που ένας χρήστης αντί για https γράφει διευθύνσεις με http. Έτσι, οι συγγραφείς του HSTS δημιούργησε έναν μηχανισμό για να θυμούνται οι browsers the HSTS policy of the websites you have visited.
That's exactly what Sam Greenhalgh feels like a super-cookie or super-cookie. His point is that an HSTS “pin” is set for each HTTPS redirect to the site you use, is unique to the user and site, and is readable by settings of your browser from any location.
"Once the number is saved, it could be read by other websites in the future. "Reading the number only requires testing whether or not requests for the same web addresses are redirected," says Greenhalgh.
Greenhalgh notes that some browsers allow HSTS flags to be cleared, and so in Chrome, the Firefox and Opera the issue is mitigated somewhat (IE does not support HSTS).
For Apple's Safari there doesn't seem to be any way deletionof HSTS flags by the user. HSTS flags continue to sync with iCloud service and will be restored immediately on the flashed device. “In this case the device can effectively be 'branded', with an indelible tracking value that you have no way of erasing. "
