On January 2 2015, Sam GreenHalgh of the UK based RadicalResearch, posted a blog about Super Cookies and how they can track internet users, even if their browsers are in privacy mode. Cookies have been used by websites for years to help them identify users whenever they return to a site. As more internet users have gone mobile, Microsoft and Google began looking for a way to track users' preferences across multiple devices.
Super Cookies were designed to do what Cookies do, remember a user's browsing history, etc, but they are intended to reside on your computer permanently. And, they can persist even when you are browsing in incognito mode. They do this by exploiting HTTP Strict Transport Security or HSTS. HSTS is a web feature that tells a website that it should only communicate with a user in HTTPS or an encrypted connection.
HSTS allows your browser to store the secure connection information from every secure website that a user might visit. Most browsers maintain HSTS, and because it is a security feature, they do so whether the browser is in normal or private mode. Though HSTS is not intended to be used for tracking, the data can be manipulated to fingerprint a prospective internet user and track their movements around the web.
Chrome, Firefox, and Opera all erase cookies and HSTS flags so that any stored data will be cleared. Apple iPads and iPhone, which use the Safari browser, have no way to clear HSTS flags. Internet Explorer doesn't support HSTS and is not vulnerable. At this time it is not clear if any websites are using HSTS to track users.
No comments:
Post a Comment