A little disturbing – HSTS can be used to guess some of your browser hisory
-
HSTS is supposed to make browsing more secure by letting a website say "Always demand HTTPS when visiting me" -- a directive which persists in the browser for some time period. Unfortunately, this can be used to guess some of your browsing history, in Chrome (and Chromium-based browsers like Vivaldi) and Firefox. See demo at: ht[b][/b]tp://zyan.scripts.mit.edu/sniffly/ More info: htt[b][/b]ps://zyan.scripts.mit.edu/blog/sniffly [size=1](Sorry, no active links, so just copy/paste. When I remember to, I've been limiting myself non-linked URLs in my posts, because I don't want to trigger an automatic anti-spam banning yet again.)[/size]
-
Works in Safari too…
-
@Gwen-Dragon:
The method of "spying" visited sites is known but the implementation is not good enough.
Sniffiy is 100% wrong on my Vivaldi regarding secure sites i have been visiting.It's not working for me now in Vivaldi and Chrome, but IIRC it worked quite well against Vivaldi and Chrome in my testing when I first started this thread. I don't know; perhaps this is due to there now being some sort of mitigation fix in Chromium and/or Vivaldi. It's still working to some degree in Firefox, when I just tried.
-