{"id":7380,"date":"2015-01-09T10:00:45","date_gmt":"2015-01-09T15:00:45","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=7380"},"modified":"2015-01-09T10:00:45","modified_gmt":"2015-01-09T15:00:45","slug":"super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/01\/09\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says\/","title":{"rendered":"&#8216;Super cookies&#8217; can track you even in private browsing mode, researcher says"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2865297\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says.html\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/01\/verizonpermacookies-100535657-gallery.png\" alt=\"\" \/><\/a><\/p>\n<p>If there&#8217;s one thing websites love to do it&#8217;s track their users. Now, it looks like some browsers can even be tracked when they&#8217;re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called &#8220;HSTS Super Cookies.&#8221; Greenhalgh shows how a crafty website could still track users online even if they&#8217;ve enabled a privacy-cloaking setting.<\/p>\n<p>The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn&#8217;t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.<\/p>\n<p>Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite&#8217;s servers can then reply to John&#8217;s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John&#8217;s browser will use HTTPS by default.<\/p>\n<p>The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you&#8217;re in private or normal mode\u2014meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.<\/p>\n<p>hstssupercookies<\/p>\n<p>Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.<\/p>\n<p>When in private browsing or incognito mode (sometimes called as &#8220;porn mode&#8221;) your browser won&#8217;t store data such as cookies and browsing history once the private browsing session has ended\u2014unless it&#8217;s tricked into doing so by a Super Cookie.<\/p>\n<p>The story behind the story: Although Greenhalgh&#8217;s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert &#8220;RSnake&#8221; Hansen raised the issue on his blog ha.ckers.org in 2010.<\/p>\n<p>Protecting yourself<\/p>\n<p>Although this issue has been known for some time it&#8217;s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.<\/p>\n<p>Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.<\/p>\n<p>HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.<\/p>\n<p>As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It&#8217;s because IE doesn&#8217;t support HSTS at all.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2865297\/super-cookies-can-track-you-even-in-private-browsing-mode-researcher-says.html\" target=\"_blank\">&#8216;Super cookies&#8217; can track you even in private browsing mode, researcher says | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If there&#8217;s one thing websites love to do it&#8217;s track their users. Now, it looks like some browsers can even [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,9,10],"tags":[190,369,536,926,1049],"class_list":["post-7380","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-technology","tag-chrome","tag-firefox","tag-internet-explorer","tag-safari","tag-super-cookies"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1V2","jetpack-related-posts":[{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":7380,"position":0},"title":"Slap and Flop &#8211; Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9511,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/01\/22\/millsplain-it-to-me-this-week-in-tech-702\/","url_meta":{"origin":7380,"position":1},"title":"Millsplain It to Me &#8211; This Week in Tech 702","author":"NCCT","date":"January 22, 2019","format":false,"excerpt":"https:\/\/youtu.be\/EtTfFJVBZ6s -Apple's Tim Cook Calls for Data Privacy. -773M Passwords Pwned - How to Find Out If Yours Was. -Amazon Tries to Make Alexa Sound \"Newsy.\" -Google Buys Fossil. -74% of Facebook Users are Clueless. -Facebook's 10 Year Challenge. -Atari Founder Making Alexa Board Games. -Stop Using Windows Phone! -Tokyo\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/EtTfFJVBZ6s\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9890,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/12\/08\/49-years-of-video-game-consoles-in-10-minutes\/","url_meta":{"origin":7380,"position":2},"title":"49 Years Of Video Game Consoles in 10 Minutes","author":"NCCT","date":"December 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/27_xEN5srVI Believe it or not, the home video game console has been around for nearly 49 years. Yes, that\u2019s almost half a century. Since 1972, we\u2019ve seen over 30 consoles created and sold in North America, which is a ridiculous amount of consoles. That\u2019s an average of more than one\u2026","rel":"","context":"In &quot;Hardware&quot;","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/27_xEN5srVI\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":7380,"position":3},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9343,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/27\/this-week-in-tech-668-how-many-cups-in-a-stone\/","url_meta":{"origin":7380,"position":4},"title":"This Week in Tech 668: How Many Cups in a Stone?","author":"NCCT","date":"May 27, 2018","format":false,"excerpt":"https:\/\/youtu.be\/i1oqaFyVcQ0 --The FBI wants you to reboot your router right now. FBI agents have gained control of a huge Russian botnet. If your router is affected you just need to reboot it. --Facebook and Russian ads - how should government react in the age of cyber warfare? --Amazon sells facial\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/i1oqaFyVcQ0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9477,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/12\/16\/the-big-leek-cabal-this-week-in-tech-697\/","url_meta":{"origin":7380,"position":5},"title":"The Big Leek Cabal &#8211; This Week in Tech 697","author":"NCCT","date":"December 16, 2018","format":false,"excerpt":"https:\/\/youtu.be\/4JZfm6VIBfc - Elon Musk is a terrible person to work for. - The internet is a garbage fire of hate. - It is not Google's fault that searching for \"idiot\" results in pictures of Donald Trump. - The Chinese are not spying on you with secret spy chips on Super\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/4JZfm6VIBfc\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=7380"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/7380\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=7380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=7380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=7380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}