Closed
Bug 648186
Opened 14 years ago
Closed 7 months ago
HSTS can be used as a tracking mechanism analogous to cookies
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: briansmith, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
(Keywords: privacy, Whiteboard: [fxprivacy])
Comment 1•14 years ago
|
||
This was something we considered when implementing HSTS, but the security gain from its use outweighs the privacy encroachment (especially since sites can simply use cookies or your disk/image cache). We implemented proper private browsing mode support (bug 557598: HSTS data accumulated in private mode will be erased when exiting private mode) to mitigate local-adversary concerns. Perhaps it would be worth exploring the addition of an about:config pref to disable HSTS for the ten people who want to disable this feature?
Comment 2•10 years ago
|
||
Updated the original URL as it is outdated. See: http://www.radicalresearch.co.uk/lab/hstssupercookies/ for a new PoC site. What about the idea of binding the wildcard feature to the includeSubdomains flag mentioned in the original blog post? Not worth the effort in the face of initiatives to get certificates easier and cheaper?
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #1) > Perhaps it would be worth exploring the addition of an about:config pref to > disable HSTS for the ten people who want to disable this feature? http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ is now drawing additional attention to the issue, so I think there will be more than ten.
Updated•7 years ago
|
Blocks: http-fingerprint
Updated•7 years ago
|
Whiteboard: [fingerprinting]
Updated•7 years ago
|
Whiteboard: [fingerprinting]
WebKit implemented some mitigation to prevent that tracking: https://webkit.org/blog/8146/protecting-against-hsts-abuse/ Maybe you can consider implementing something similar...
Comment 6•7 years ago
|
||
Note, the webkit blog post in comment 5 mentions they took steps because they say active tracking via this vector in the wild.
Whiteboard: [fxprivacy]
Comment 7•7 years ago
|
||
see Bug 1447011
Updated•2 years ago
|
Severity: normal → S3
Comment 9•7 months ago
|
||
agreed
Status: NEW → RESOLVED
Closed: 7 months ago
Depends on: 1635828
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•