Tes Engineering Blog

Musings of the Tes Engineering Team

BlogHow we workMeet the TeamOpen rolesWork with us

December 15, 2020

HSTS supercookies

by Rabea Gleissner

Did you know that the HTTP Strict Transport Security (HSTS) policy enabled a form of supercookie?

I didn't, until recently. So I decided to dig into it a bit more to really understand what's what.

HSTS - security vs privacy

HSTS was invented to protect users against downgrade hacking attacks like SSL stripping. It's meant to help keep users safe. However, an unintended side-effect is that it can be used to identify a user uniquely and therefore track which content they interact with on the internet.

It's a complicated subject and I decided to give a short talk about it to my team. You can find a recording of my talk below if you are interested in learning more. In the talk I'm also explaining briefly what supercookies are and how an SSL stripping attack works.

How HSTS supercookies work

Let's say a tracking company wants to know which users visit a particular web page. They can link to several (hidden) images on that webpage with simple HTTP links. The images are hosted on the tracking company's server. When the user visits the page, the requests for the images are made via HTTP. The server responds with an HSTS header to some of these links, which the browser remembers.

The next time the user visits that same webpage, the requests that previously received an HSTS header as part of the response will be made via HTTPS, while the others will be made via HTTP as before.

For this supercookie to work, each user needs to have a unique combination of HTTP/HTTPS requests. If there are enough hidden images, quite a large number of users can be identified.

Learn more in this talk

© Tes Engineering Team2021| All rights reserved
Follow @tes_engineering