Your cookie is set to:
Your cookie is:
HSTS technology allows HTTPS-supporting server to tell browser to send queries to a specific domain over HTTPS only, even if URL explicitly specified HTTP (without "S") schema. This was designed to reduce possibility of man-in-the-middle attacks which strip all HTTPS links down to plain HTTP, making them vulnerable to eavesdropping.
To prevent that, server sends Strict-Transport-Security: "max-age=<number_of_seconds>"
header, which tells browser that it must send all queries to that host for next number_of_seconds
over HTTPS only.
It was noticed that this means that browser stores one bit of information per domain (or subdomain) and to could be read with specially crafted script. Original demonstration of this (along with detailed explanation of HSTS) was created by Radical Research and utilized JavaScript to write and read bits from browser's HSTS storage.
I've been wondering if it's possible to track even paranoid NoScript visitors and after several attempts came up with such implementations. You can see it in action on upper-right corner of this page.
Assume that we have an evil website (say, hsts.nevkontakte.com) which has 8 subdomains like 1.hsts.nevkontakte.com, 2.hsts.nevkontakte.com, ..., 8.hsts.nevkontakte.com and additional subdomain tag.nevkontakte.com. Having this, we're able to store 9 bits of information in visitor's browser.
When a user visits http://hsts.nevkontakte.com/ for the first time
, where N is a bit number from 1 to 8 and X is 1 or 0 depending on value of corresponding bit in the identifier.https://N.hsts.nekvkontakte.com/set/1.css
server replies with header Strict-Transport-Security: "max-age=31536000"
, forcing all further requests to that subdomain to be sent over HTTPS.https://N.hsts.nekvkontakte.com/set/0.css
server replies with header Strict-Transport-Security: "max-age=0"
, allowing further requests to that subdomain to be sent over plain HTTP.On the next visit to http://hsts.nevkontakte.com/
http://N.hsts.nekvkontakte.com/get/<token>.css
and responds with CSS, which includes all this sub-stylesheets.http://N.hsts.nekvkontakte.com/get/<token>.css
, server will set N-th bit of variable associated with token
to 1 or 0, depending over which protocol request has arrived.This PoC demonstrates how powerful CSS can be combined with a bit of server-side magic, although it isn't usually regarded as a possible source of threat. Compared to original demo by Radical Research presented technique is even more scary due to following:
element:after {content: "some information"}
.Despite of said above, HSTS super cookie doesn't provide any practical threat to user's privacy. First and the most important is that it required one additional request per bit of identifier. This drastically slows down page load and no site which cares about it's audience can afford this. For example, this page uses 31 bit identifier. Assuming that browser opens up to 8 parallel connections per page and ping time to the server 100ms, it would take at least ~1.5 sec to fetch tracking-related stylesheets (dns + tcp handshake + request-response).
Second, although Chromium makes available HSTS records from regular mode to private browsing, it doesn't keep HSTS records received in private mode. So if you visit tracking site in private mode only, HSTS cookie will be destroyed as soon as you end private session. Firefox doesn't make make HSTS regular storage in private mode at all (which I personally consider wrong) and current version of IE doesn't support HSTS at all. So, there isn't much to be afraid of, really.