December 15, 2020
by Rabea Gleissner
Did you know that the HTTP Strict Transport Security (HSTS) policy enabled a form of supercookie?
I didn't, until recently. So I decided to dig into it a bit more to really understand what's what.
HSTS was invented to protect users against downgrade hacking attacks like SSL stripping. It's meant to help keep users safe. However, an unintended side-effect is that it can be used to identify a user uniquely and therefore track which content they interact with on the internet.
It's a complicated subject and I decided to give a short talk about it to my team. You can find a recording of my talk below if you are interested in learning more. In the talk I'm also explaining briefly what supercookies are and how an SSL stripping attack works.
Let's say a tracking company wants to know which users visit a particular web page. They can link to several (hidden) images on that webpage with simple HTTP links. The images are hosted on the tracking company's server. When the user visits the page, the requests for the images are made via HTTP. The server responds with an HSTS header to some of these links, which the browser remembers.
The next time the user visits that same webpage, the requests that previously received an HSTS header as part of the response will be made via HTTPS, while the others will be made via HTTP as before.
For this supercookie to work, each user needs to have a unique combination of HTTP/HTTPS requests. If there are enough hidden images, quite a large number of users can be identified.