1

When you search in Google for user cookies top results are VPN services that say that it's used by ISP to track the users. Wikipedia Supercookie say nothing about HTTP headers and what exactly are super cookies.

I'm interested what the subdomain can do to harm the domain. Are supercookies the same as HSTS supercookies as describe in this question What are HSTS Super Cookies?

I was suggested by some person when we were discussing scheme.org that will act like umbrella for different subdomains that the domain should be reported to https://publicsuffix.org/ otherwise subdomain can steal login cookies, this is unlikely because in one article (at some VPN company) I read that those are not actually cookies only HTTP headers.

So can someone explain what are exactly super cookies and what potential attacker can do to harm the domain? Or what are any vector attacks the evil person can do with super cookies?

jcubic
  • 209
  • 2
  • 11

1 Answers1

2

A super cookie is basically and identifier which makes it possible to identify a specific user or user group over multiple domains and which is more or less resistant against anti measures.

The actual implementations vary. But the basic idea is that the identifier is not bound to a single property like HTTP cookie, browser fingerprint, IP address, Etag, HSTS or simlar but that it combines multiple properties. This makes it resistant against particular anti measures, since it is possible to identify the user again even with a subset of the original properties.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Does it mean that it's useful only for domain to track users on subdomains? And subdomain can't use it for any purpose? – jcubic Nov 29 '20 at 14:42
  • Sure it can be used for subdomains but even normal cookies can be used for this. The goal of super cookies is usually to do cross-domain tracking and to prevent anti measures by the user, not sure if this is even your use case. – Steffen Ullrich Nov 29 '20 at 14:47
  • You're saying that normal cookie can be used on subdomains and read in domain or other way around? What about Origin Policy? – jcubic Nov 30 '20 at 08:29
  • @jcubic: Same Origin Policy does not directly apply to cookies. Cookies have their own policy which allow cookies to span subdomains. – Steffen Ullrich Nov 30 '20 at 11:53