A little disturbing – HSTS can be used to guess some of your browser hisory


  • Moderator

    HSTS is supposed to make browsing more secure by letting a website say "Always demand HTTPS when visiting me" -- a directive which persists in the browser for some time period. Unfortunately, this can be used to guess some of your browsing history, in Chrome (and Chromium-based browsers like Vivaldi) and Firefox. See demo at: ht[b][/b]tp://zyan.scripts.mit.edu/sniffly/ More info: htt[b][/b]ps://zyan.scripts.mit.edu/blog/sniffly [size=1](Sorry, no active links, so just copy/paste. When I remember to, I've been limiting myself non-linked URLs in my posts, because I don't want to trigger an automatic anti-spam banning yet again.)[/size]



  • Works in Safari too…



  • I tested my V on Sniffly several months ago [sometime last year]. It was 100% wrong; not a single site that it said i had visited was true. Having just read your post now i gave it another try… once again 100% wrong. Impressive, not. That said, i do use Ghostery, uBlock Origin, HTTPS Everywhere... so maybe they were protecting me.



  • The method of "spying" visited sites is known but the implementation is not good enough.
    Sniffiy is 100% wrong on my Vivaldi regarding secure sites i have been visiting.


  • Moderator

    @Gwen-Dragon:

    The method of "spying" visited sites is known but the implementation is not good enough.
    Sniffiy is 100% wrong on my Vivaldi regarding secure sites i have been visiting.

    It's not working for me now in Vivaldi and Chrome, but IIRC it worked quite well against Vivaldi and Chrome in my testing when I first started this thread. I don't know; perhaps this is due to there now being some sort of mitigation fix in Chromium and/or Vivaldi. It's still working to some degree in Firefox, when I just tried.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.