HTTP Strict Transport Security (HSTS) and Supercookies
-
I came across an interesting article in my mailbox this morning and thought I'd share with those that are intersted... The article describes (in much more detail than I'll put here) how one can use HSTS to track users and how this can affect both privacy and security. Link: [url=https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/]Anatomy of a browser dilemma - how HSTS 'supercookies' make you choose between privacy or security[/url] HSTS makes it harder for attackers to do a downgrade an HTTPS connection by telling your browser which websites want to talk over HTTPS only. It uses a cookie like file which is set when the server sends back an HTTP header. But these 'cookies', apparently, can be abused. One method mentioned by the author is for a site to send you a page that includes links to several other domains that it controls. Then the site will use HSTS headers in replies to tell the user that some of those sites will in future require HTTPS, but others will not. Instead of setting one official cookie that contains five bits (binary digits) of data, the site has effectively set five unofficial cookies. Now the site can recover a pattern from your browser... Different browsers handle these HSTS 'cookies' differently: [quote]If you use Firefox or Safari, the HSTS data that's gathered during normal browsing does not persist when you switch to and from 'private' browsing. That's good for privacy and bad for security. If you use Chrome, then any HSTS data that's gathered during normal browsing will persist into Incognito mode. That's good for security and bad for privacy.[/quote] The author to advises users to keep HSTS data as the risk to your privacy appears to be theoretical but risk to your security is very real. For more info and an example of how these 'cookies' work, see: RadicalResearch, HSTS Super Cookies: http://www.radicalresearch.co.uk/lab/hstssupercookies and: Mikhail Davidov's article regarding the potential misuse of HSTS in April 2012: http://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy/ From the Google Chrome security team: https://code.google.com/p/chromium/issues/detail?id=104935 https://code.google.com/p/chromium/issues/detail?id=258667 The chromium security FAQ: http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-isn-t-passive-browser-fingerprinting-including-passive-cookies-in-Chrome-s-threat-model- Browser support: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Browser_support
-
Thanks for the links, greybeard.
Quote from Radical Research page:
Some browsers such as Google Chrome, Firefox and Opera do mitigate the issue. Erasing cookies on these browsers also erases HSTS flags so any stored value will be cleared.This underlines the need for effective cookie management by users.
-
I just did a quick test in Firefox 35. The test HSTS supercookie set by Radical Research does not persist using private window. However, it does persist in a normal window even if cookies are cleared on exit. Anyone like to test on other browsers?
-
In Opera Developer:
Retained cookie in normal mode. (After clearing cookies and cache.)
New (different) cookie generated in Incognito mode (After clearing cookies and cache.)Vivaldi behaves the same way in Normal mode. I do not see Incognito mode as yet.
Edit:
Opera 12.17
Retained cookie in normal mode. (After clearing cookies and cache.)
Retained cookie in Private mode. (After clearing cookies and cache.) -
Steve Gibson dug into these "supercookies" over the past few weeks of the Security Now webcasts.
http://twit.tv/show/security-now -
Thanks Doc,
Have't had occasion to visit Steve's site lately and almost forgot about him.
Can you remember the episode or date? Their descriptions aren't very descriptive.
-
Ppafflick moved this topic from Culture on -
Ppafflick moved this topic from Security & Privacy on
