Despite disabled cookies, Internet users can be tracked by private surfing. This is shown by British IT consultant Sam Greenhalgh on his website. To do this, he abuses the HTTP Strict Transport Security (HSTS) method.
Originally, the HSTS method is used to guarantee secure use of the HTTPS protocol. This is done, for example, by automatically converting HTTP to HTTPS requests. In the course of the conversion, the site writes information such as the URL or preferences into a browser database.
Greenhalgh now showed that a unique identification of the browser is possible from the registered data via JavaScript. To do this, the URL entries are stored with a different validity period from browser to browser.
This allows the browser to be recognized the next time the site is visited - even if the user actually uses the private mode because the incognito mode also accesses the relevant HSTS entries
The issue is mainly affected by Google Chrome, which supports HSTS. Although Mozilla Firefox had the same problems at the time of Greenhalgh's analysis, the current version 34.0.5 does not access the data in private surfing anymore. Only the users of Internet Explorer remain spared, because they do not support HSTS at all.
No comments:
Post a Comment