HSTS can be used as a tracking mechanism analogous to cookies

NEW
Unassigned

Status

()

defect
8 years ago
3 months ago

People

(Reporter: briansmith, Unassigned)

Tracking

(Depends on 1 bug, Blocks 1 bug, {privacy})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxprivacy], )

This was something we considered when implementing HSTS, but the security gain from its use outweighs the privacy encroachment (especially since sites can simply use cookies or your disk/image cache).

We implemented proper private browsing mode support (bug 557598: HSTS data accumulated in private mode will be erased when exiting private mode) to mitigate local-adversary concerns. 

Perhaps it would be worth exploring the addition of an about:config pref to disable HSTS for the ten people who want to disable this feature?
Updated the original URL as it is outdated. See: http://www.radicalresearch.co.uk/lab/hstssupercookies/ for a new PoC site. What about the idea of binding the wildcard feature to the includeSubdomains flag mentioned in the original blog post? Not worth the effort in the face of initiatives to get certificates easier and cheaper?
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #1)
 
> Perhaps it would be worth exploring the addition of an about:config pref to
> disable HSTS for the ten people who want to disable this feature?

http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ is now drawing additional attention to the issue, so I think there will be more than ten.
Duplicate of this bug: 1090433
Whiteboard: [fingerprinting]
Whiteboard: [fingerprinting]
WebKit implemented some mitigation to prevent that tracking: https://webkit.org/blog/8146/protecting-against-hsts-abuse/

Maybe you can consider implementing something similar...
Note, the webkit blog post in comment 5 mentions they took steps because they say active tracking via this vector in the wild.
Whiteboard: [fxprivacy]
See Also: → 1447011
Depends on: 1447011
See Also: → 1542898
You need to log in before you can comment on or make changes to this bug.