5

There is already a large flora of "supercookies" and browser fingerprinting methods out there. I am wondering whether HPKP provides yet another method to track users?

A server could send an extra backup key that is never intended to be used as a public key, but instead is a unique identifier for that visitor. The browser will happily store it, and persist it even if browsing history and cookies are flushed. If the key could somehow be recovered from the client (without having to try all possible keys until you find one that validates) it could be used for tracking users.

So my questions are:

  • Can this be done?
  • Is it in fact used in the wild?
  • Is there any way to protect yourself other than turning off HPKP completely?
Anders
  • 64,406
  • 24
  • 178
  • 215
  • I think the problem comes from your parenthesis: I don't think it would scale well, since you'd need a unique key pair per visitor... – Matthew Jun 08 '16 at 11:16

1 Answers1

4

HPKP could be used for tracking in big scale since it has report URIs:

  1. Send HPKP header with includeSubdomains set and a report-uri with unique random generated parameter.
  2. Embed a hidden image from a subdomain that uses a invalid/not pinned certificate.
  3. Browser calls report-uri with unique parameter.

Only issue I see is a new report-uri with new UID being issued each time the user visits the site that sets the UID.

Also see Privacy Considerations section of the HPKP RFC.

Community
  • 1
you
  • 56
  • 2
  • 1
    Let's Encrypt certs are free and can be obtained automatically rather quickly, and just because Apache doesn't support a particular use case doesn't mean it's impossible. The real question here is whether the server have a way to check what HPKP keys the browser has pinned. – Ajedi32 Jun 08 '16 at 13:22
  • 1
    "Let's Encrypt certs are free and can be obtained automatically rather quickly" yes, [if you don't track more than 100 persons a week.](https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769) Or you need more than 1 domain. (not subdomains) And even than you'd need 20 subdomains – you Jun 08 '16 at 13:34
  • More than 100 _new_ people per week, yes. After a cert is issued, you could continue using it to track the person it was issued for until it expired. But you make a good point: even with Let's Encrypt this method doesn't scale well. – Ajedi32 Jun 08 '16 at 13:42
  • @Ajedi32 just had an idea how this might be possible. see edit. – you Jun 08 '16 at 13:53
  • @you Thanks for the answer! I think this answer would be much better if you removed the first part since the second part invalidates it anyway. Great with a link to the relevant part of the RFC! – Anders Jun 08 '16 at 15:26
  • 2
    One certificate per user is not necessary. Simply apply some binary encoding and number of certs requried becomes `log(users to track)`. I.e. 10 certs for 10 sub-domains can track 1023 users if you user different combinations of them for each user. – billc.cn Jun 08 '16 at 16:03
  • It seems like there is already a way to use HSTS (similar but different to HPKP) to track users. Basically, different HSTS policies are set for different subdomains for each user, and then the sites can identify the user by requesting the resources over HTTP and seeing which ones get upgraded to HTTPS. – tonytan Jun 08 '16 at 19:40
  • I made an edit to remove the old answer and focus on the new, since that is the correct and useful part. I think an answer should focus on the the relevant information for future visitors, and not how it was arrived at. Feel free to rollback if you dissaprove. – Anders Jun 18 '16 at 09:18