A researcher has found a way to http strict transport security, a method of tapping of internet connections to prevent this, in order to track users on the internet. That method also works if someone incognito mode.
Websites can, thanks to hsts by means of an http-header to know that they are in the sequel only through https may be visited. Even if the connection of a user after being intercepted, the user on websites with hsts in principle secure, because the browser knows that those sites only visit about https allow. In addition, Chrome and Firefox a list of commonly used websites, such as PayPal and Google, who are obviously only over https are allowed to be visited.
This functionality can, however, be abused to track users, discovered researcher Sam Greenhalgh. A hsts-header consists of one bit which is on or off can be set. By 32 different urls to use, however, can be a string of 32 bits that are different for each user. This allows for more than 4 billion users a unique string will be created, reports Ars Technica. Greenhalgh has a proof-of-concept created to his claims.
Hsts headers are not treated as cookies, making it possible for a user who’re browsing in incognito mode to identify, all he must do so at least once in the relevant website in the ‘normal’ mode to have visited.
In Firefox 34, is dealing with hsts headers are modified and the problem no longer is to abuse; in incognito mode, users can no longer be identified. In Chrome and Opera works the method of Greenhalgh still, all the headers are lost if the user delete cookies. In the Safari browser on the iPad and iPhone this, however, can not, which browser is the most vulnerable to the vulnerability.
According to Greenhalgh, there is no evidence that the method is abused to track users, but that is not to say that it is also not happening. The fact is that have known for years is that hsts headers in incognito mode not otherwise be treated, though there was still no working proof-of-concept that users can be followed.
