6

A few questions :

  • What are HSTS super cookie?
  • How do they work?
  • Why is possible to access them from multiple domains?
  • Do I have to worry and if yes, how to mitigate their effect?

Sources

http://www.radicalresearch.co.uk/lab/hstssupercookies
http://arstechnica.com/security/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/

Gudradain
  • 6,921
  • 2
  • 26
  • 43

1 Answers1

12

Basically, HSTS allows a site to store a flag (true or false) - in other Words a bit, in a web browser.

Storing HSTS super cookies are accomplished in this way: Lets say we want to store the value A, binary 01000001. We can then store this as by redirecting the user to a series of websites, like https://00.example.org indicating HSTS=off redirecting to: https://01.example.org indicating HSTS=on redirecting to: https://02.example.org indicating HSTS=off ... ... redirecting to: https://08.example.org indicating HSTS=on

"Reading" the cookie is simple as redirecting user to: http://00.example.org If HSTS is on, the webserver will receive a request to https://00.example.org, else http://00.example.org redirect then to http://01.example.org and so on.

The misdesign in HSTS is that the browser should "correct" a HTTP visit to HTTPS automatically if HSTS is enabled. A better idea would be that a HTTP request to a HSTS resource would instead fail completely with no recourse from the user other than manually typing https Before the url. But such things might endanger the usability.

No you dont need to worry. A site that wants to track you could aswell store your IP adress on server side to be able to show targeted ads and such. If you want to surf completely anonymously, for example via TOR, you should turn off HSTS completely, and instead itself be vary of SSLstrip by manually checking that HTTPS is being deployed.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • Interesting to see how this works. But in effect you say that for each bit, the browser needs a redirect to another page? Or is this operated in the background via javascript or iframe? It seems very inefficient. – SPRBRN Jan 19 '15 at 15:57
  • doesnt matter. You could for example use a img src=00.example.org/img.jpg and then it redirects sufficently many times Before serving the Picture. – sebastian nielsen Jan 19 '15 at 16:10
  • Note that turning off HSTS on your browser [could make you vulnerable to cookie poisoning attacks](http://security.stackexchange.com/a/44976/8340). Also, a HSTS "super cookie" could be a longer term tracking tool than your IP address which is subject to change (either dynamically with your ISP, or if you log on from different locations). – SilverlightFox Jan 20 '15 at 17:38
  • 5
    Failing all HTTP requests to a domain with an HSTS policy won't hide the fact that the client knows about the HSTS policy. It is easy for the server to tell the difference between a client which makes an HTTP request and one which does not make an HTTP request. – kasperd Jan 21 '15 at 12:39
  • Using HTTP through TOR means you can't do any communication without some exit node seeing it in clear. If the TOR client was extended with code to redirect all HTTP requests to HTTPS entirely on the client side without any network communication at all, then you would both protect against malicious exit nodes and any information which HSTS might have leaked. – kasperd Jan 21 '15 at 12:43
  • 1
    @kasperd: Agree, but with a small difference: The difference is that if the request fails, you as a web site cannot know if the failure is due to a network error or due to HSTS. About the second issue, HSTS wont solve that. What I mean is that its better to manually configure sites that should use HSTS instead of letting browser handle it, if you are afraid of "super cookies". There is extensions like HTTPS Everywhere and such, where you can configure where HTTPS is forced, manually. – sebastian nielsen Jan 21 '15 at 15:45