Updated the original URL as it is outdated. See: http://www.radicalresearch.co.uk/lab/hstssupercookies/ for a new PoC site. What about the idea of binding the wildcard feature to the includeSubdomains flag mentioned in the original blog post? Not worth the effort in the face of initiatives to get certificates easier and cheaper?
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #1) > Perhaps it would be worth exploring the addition of an about:config pref to > disable HSTS for the ten people who want to disable this feature? http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ is now drawing additional attention to the issue, so I think there will be more than ten.
WebKit implemented some mitigation to prevent that tracking: https://webkit.org/blog/8146/protecting-against-hsts-abuse/ Maybe you can consider implementing something similar...
Note, the webkit blog post in comment 5 mentions they took steps because they say active tracking via this vector in the wild.
see Bug 1447011
You need to log in before you can comment on or make changes to this bug.