{"id":7380,"date":"2015-01-09T10:00:45","date_gmt":"2015-01-09T15:00:45","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=7380"},"modified":"2015-01-09T10:00:45","modified_gmt":"2015-01-09T15:00:45","slug":"super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/01\/09\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says\/","title":{"rendered":"&#8216;Super cookies&#8217; can track you even in private browsing mode, researcher says"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2865297\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/01\/verizonpermacookies-100535657-gallery.png\" alt=\"\" \/><\/a><\/p>\n<p>If there&#8217;s one thing websites love to do it&#8217;s track their users. Now, it looks like some browsers can even be tracked when they&#8217;re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called &#8220;HSTS Super Cookies.&#8221; Greenhalgh shows how a crafty website could still track users online even if they&#8217;ve enabled a privacy-cloaking setting.<\/p>\n<p>The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn&#8217;t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.<\/p>\n<p>Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite&#8217;s servers can then reply to John&#8217;s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John&#8217;s browser will use HTTPS by default.<\/p>\n<p>The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you&#8217;re in private or normal mode\u2014meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.<\/p>\n<p>hstssupercookies<\/p>\n<p>Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.<\/p>\n<p>When in private browsing or incognito mode (sometimes called as &#8220;porn mode&#8221;) your browser won&#8217;t store data such as cookies and browsing history once the private browsing session has ended\u2014unless it&#8217;s tricked into doing so by a Super Cookie.<\/p>\n<p>The story behind the story: Although Greenhalgh&#8217;s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert &#8220;RSnake&#8221; Hansen raised the issue on his blog ha.ckers.org in 2010.<\/p>\n<p>Protecting yourself<\/p>\n<p>Although this issue has been known for some time it&#8217;s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.<\/p>\n<p>Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.<\/p>\n<p>HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.<\/p>\n<p>As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It&#8217;s because IE doesn&#8217;t support HSTS at all.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2865297\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says.html\" target=\"_blank\">&#8216;Super cookies&#8217; can track you even in private browsing mode, researcher says | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If there&#8217;s one thing websites love to do it&#8217;s track their users. Now, it looks like some browsers can even [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9,10],"tags":[190,369,536,926,1049],"class_list":["post-7380","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-chrome","tag-firefox","tag-internet-explorer","tag-safari","tag-super-cookies"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1V2","jetpack-related-posts":[{"id":8751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/16\/state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites\/","url_meta":{"origin":7380,"position":0},"title":"State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites","author":"NCCT","date":"November 16, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows. Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8855,"url":"https:\/\/nccomputertech.com\/techtalk\/2016\/03\/07\/verizons-supercookie-fcc-settlement-requires-opt-in-for-some-tracking\/","url_meta":{"origin":7380,"position":1},"title":"Verizon&#8217;s &#8216;Supercookie&#8217; FCC settlement requires opt-in for some tracking","author":"NCCT","date":"March 7, 2016","format":false,"excerpt":"By Jared Newman | PCWorld Verizon Wireless is getting slapped with a fine and privacy requirements after inserting undeletable tracking cookies into users\u2019 browsing sessions. As part of a settlement with the Federal Communications Commission, Verizon will have to get users\u2019 permission to share these \u201csupercookies\u201d with third-party partners. However,\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6045,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/23\/researchers-reveal-3-devious-ways-online-trackers-shatter-your-privacy-and-follow-your-digital-footsteps-pcworld\/","url_meta":{"origin":7380,"position":2},"title":"Researchers reveal 3 devious ways online trackers shatter your privacy and follow your digital footsteps","author":"NCCT","date":"July 23, 2014","format":false,"excerpt":"Three stealthy tracking mechanisms designed to avoid weaknesses in browser cookies pose potential privacy risks to Internet users, a new research paper has concluded. The methods\u2014known as canvas fingerprinting, evercookies and cookie syncing\u2014are in use across a range of popular websites. The findings, first reported by Pro Publica, show how\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6892,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/19\/att-kills-the-permacookie-stops-tracking-customers-internet-usage-for-now\/","url_meta":{"origin":7380,"position":3},"title":"AT&#038;T kills the &#8216;permacookie,&#8217; stops tracking customers&#8217; Internet usage (for now)","author":"NCCT","date":"November 19, 2014","format":false,"excerpt":"In recent weeks, Verizon and AT&T have been caught up in a privacy firestorm over their use of so-called \u201cpermacookies,\u201d a method of tracking what their users do while browsing the Web with the intent of sharing that data with advertisers. Verizon\u2019s permacookie program lives on, but AT&T has ceased\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3235,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/21\/how-easy-is-it-to-hack-javascript-in-a-browser\/","url_meta":{"origin":7380,"position":4},"title":"How easy is it to hack JavaScript in a browser?","author":"NCCT","date":"August 21, 2013","format":false,"excerpt":"This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites. Jesus Rodriguez asks: My question has to do with JavaScript security. Imagine an auth system where you're using a\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7112,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/10\/researchers-say-poodle-can-be-repurposed-to-attack-tls-10-percent-of-the-servers-vulnerable\/","url_meta":{"origin":7380,"position":5},"title":"Researchers say Poodle can be repurposed to attack TLS, 10 percent of the servers vulnerable","author":"NCCT","date":"December 10, 2014","format":false,"excerpt":"A couple of months after researchers at Google uncovered POODLE (Padding Oracle On Downgraded Legacy Encryption), a vulnerability in a specific version of the SSL protocol, security firm Qualys has announced that the issue also affects implementations of the TLS protocol. Poodle allows attackers to compromise the secure connection between\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=7380"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7380\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=7380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=7380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=7380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}