Using HSTS to Track Incognito Users
Sam Greenhalgh (via Yan Zhu):
A security feature of modern web browsers called “HTTP Strict Transport Security” (HSTS) allows a website to indicate that it should always be accessed using a secure connection. If you visit a site that has HSTS enabled, your web browser will remember this flag and ensure the connection is secure any time you visit the website in the future. Subsequent visits to the site without using a secure connection get automatically redirected by the web browser to the secure variant of the web address, beginning https://
This automatic redirecting protects your access to the site from being intercepted but could also be abused by a malicious site to store a unique number to track your web browser. A number can be encoded as a series of bits (true and false values) and stored by accessing a set of web addresses. Each web address responds with HSTS enabled or disabled depending on the address. Once the number is stored it could be read by other sites in the future. Reading the number just requires testing if requests for the same web addresses are redirected or not.
[…]
However, unlike cookies, existing HSTS flags are still shared with sites when using “incognito” or “private” windows. The impact is that it’s possible for a site to track you even if you choose to use “incognito” or “private” browsing features in an effort to avoid such tracking.
Considerably more worrying is the behavior displayed by Safari, the default browser for iPad and iPhone. When using Safari on an Apple device there appears to be no way that HSTS flags can be cleared by the user. HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be “branded” with an indelible tracking value that you have no way of removing.