Closed Bug 648186 Opened 13 years ago Closed 2 months ago

HSTS can be used as a tracking mechanism analogous to cookies

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug,
URL
)

Details

(Keywords: privacy, Whiteboard: [fxprivacy]) 

This was something we considered when implementing HSTS, but the security gain from its use outweighs the privacy encroachment (especially since sites can simply use cookies or your disk/image cache).

We implemented proper private browsing mode support (bug 557598: HSTS data accumulated in private mode will be erased when exiting private mode) to mitigate local-adversary concerns. 

Perhaps it would be worth exploring the addition of an about:config pref to disable HSTS for the ten people who want to disable this feature?
Updated the original URL as it is outdated. See: http://www.radicalresearch.co.uk/lab/hstssupercookies/ for a new PoC site. What about the idea of binding the wildcard feature to the includeSubdomains flag mentioned in the original blog post? Not worth the effort in the face of initiatives to get certificates easier and cheaper?
URL: http://haxsys.net/2011/04/the-double-...https://web.archive.org/web/201210310...
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #1)
 
> Perhaps it would be worth exploring the addition of an about:config pref to
> disable HSTS for the ten people who want to disable this feature?

http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ is now drawing additional attention to the issue, so I think there will be more than ten.
Whiteboard: [fingerprinting]
Whiteboard: [fingerprinting]
WebKit implemented some mitigation to prevent that tracking: https://webkit.org/blog/8146/protecting-against-hsts-abuse/

Maybe you can consider implementing something similar...
Note, the webkit blog post in comment 5 mentions they took steps because they say active tracking via this vector in the wild.
Whiteboard: [fxprivacy]
see Bug 1447011
See Also: → 1447011
Depends on: 1447011
Severity: normal → S3

I think bug 1635828 might have fixed this one?

Flags: needinfo?(dveditz)

agreed

Status: NEW → RESOLVED
Closed: 2 months ago
Depends on: 1635828
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.