Researcher says HTTPS can track You

Perhaps you’ve read that “HTTPS” at the start of a website address means that the site is secure, encrypted. However, a feature of the HTTPS can track you, says an article at theregister.co.uk.

tumblr_inline_niu7qg4Vtm1qa344h.jpg

HTTP is not secure. Carnegie Mellon University in a Register article states “HSTS”, which is “Strict Transport Security”  redirects users to HTTPS. The HSTS authors decided that this redirection every single time was a bit much, so they came up with a feature that browsers could remember regarding the HSTS policy of visited sites. I know, a LOT OF INFORMATION.

The Register article goes on to explain that this feature is a “super cookie.” If you use a redirected site, an HSTS “pin” is set. It’s unique to you and the site you visit. Sam Greenhalgh says, as quoted in the article, “Once the number is stored it could be read by other sites in the future. Reading the number just requires testing if requests for the same web addresses are redirected or not.”

The browsing modes of incognito or private have no effect, continues the article. IE doesn’t support HSTS, but Chrome, Firefox and Opera browsers permit HSTS flags to be cleared.

Safari is a different story, says Greenhalgh. The article quotes him: “When using Safari on an Apple device there appears to be no way that HSTS flags can be cleared by the user. HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be 'branded' with an indelible tracking value that you have no way of removing.”

Think of all of this as a kind of fingerprinting of the user, you. A crook who runs a malicious site is capable of exploiting this feature. However, Google has reported to Greenhalgh that it’s “not practical” to “defeat such fingerprinting.”Its not practical getting hacked either.

Protect your privacy:

  • Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  • Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  • Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  • Only friend or connect with people online you know in real life.
  • Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  • Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow 

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Comments

  • What a marvelous device for Spear Phishing. 

    If I brand the user once and capture the cookie, I can track the user's movements as he crosses an infected grid of web servers.

    The cookie clearing has to be fixed immediately and by default.  Or, we have accidentally created a criminal identity management system that the user cannot see or control.

     

    Apple is in line to get sued for AntiPrivacy practices, again. 

     

    If I know it can only be uniquely one user, why use passwords when I have conclusive proof of identity?

     

This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead