Tuesday, 6 January 2015

Incognito Mode Does Not Protect Against Super Cookies

Users who use the incognito or private browsing mode of their browser are still to follow through so-called "super cookies", according to an online test of the British developer Sam Greenhalgh . The problem is caused by a security measure called "HTTP Strict Transport Security" (HSTS). The measure ensures that websites only be accessed through a secure connection.

In case a website HSTS enabled the browser via a special "flag" remember and ensure that there is made only over HTTPS connection. If the user specifies HTTP in the address he is automatically redirected to HTTPS. However, this automatic forwarding can also be used by a malicious website to save a unique number in the user's browser and follow him. This number can then be read by other websites. HSTS can also be used as a tracking mechanism in this way.

To give users more privacy browsers have for some time been added incognito or private browsing mode. These cookies are not shared with existing web sites and the user can delete the cookies so they can be tracked online. Because HSTS is a security measure and is not really meant for tracking, browsers go it differently than is the case with cookies.

Some browsers such as Google Chrome, Firefox and Opera are trying to resolve this issue by removing both cookies stored as HSTS-flags. According to Greenhalgh, existing HSTS-flags, unlike cookies, or shared with other websites, even if the user incognito or private browsing mode enabled. In the case of Safari, the problem seems to be even greater because Safari users on an Apple device have no possibility to remove the HSTS-flags. She even be synchronized with iCloud, so they can be returned if the user clears his extension.

"I do not know if the technique is used in the wild to track users, although that does not mean that this is not so," said Greenhalgh. He calls the technical community to see how the tracking area can be resolved while the value of HSTS retained. In a response to Google Chrome Security Team states that there are measures added to the browser to address the problem, but it is ultimately a tradeoff between security and privacy. This form of "fingerprinting" would therefore not be solved unless fundamental changes are made to the way the web works. "

No comments:

Post a Comment