Aurich Lawson For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn’t save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can bypass these privacy modes unless users take special care. Ironically, the chink that allows websites to uniquely track people’s incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security . Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP. Sam Greenhalgh, a technology and software consultant who operates RadicalResearch , has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies . Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set, the cookies will be visible even if a user has switched to incognito browsing
Home / Tech News & Announcements / Super cookies allow sites to track users using most popular browsers even in privacy mode (Dan Goodin/Ars Technica)
Less talk, more walk.