Pixel Envy

Written by Nick Heer.

Protecting Against HSTS Abuse

Brent Fulgham of the WebKit team:

HTTP Strict Transport Security (HSTS) is a security standard that provides a mechanism for web sites to declare themselves accessible only via secure connections, and to tell web browsers where to go to get that secure version. Web browsers that honor the HSTS standard also prevent users from ignoring server certificate errors.

[…]

What could be wrong with that?

Well, the HSTS standard describes that web browsers should remember when redirected to a secure location, and to automatically make that conversion on behalf of the user if they attempt an insecure connection in the future. This creates information that can be stored on the user’s device and referenced later. And this can be used to create a “super cookie” that can be read by cross-site trackers.

I already think that most trackers are installed unethically, as users frequently aren’t aware of the implications of different cookie policies and privacy settings. But this is a special level of intrusive. At what point does a company offering a user tracking solution go beyond what is reasonably expected by customers from software like that and create something downright abusive to users’ rights? I’d argue that this is pretty close.