For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.

Ironically, the chink that allows websites to uniquely track people's incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.

Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.

Update: The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode. Greenhalgh said this fix is recent and produced screenshots showing his PoC worked on version 33 of Firefox, at least when running on Windows. Firefox 34.0.5 continued to allow multiple websites access super cookies. Chrome on Windows remained fully vulnerable, as did Chrome and Safari running on an iPad tested by Ars. Internet Explorer isn't vulnerable because currently supported versions of the browser don't support HSTS.

How it works

For any one site, HSTS can be used to hold only a single binary value—either on or off. To work around this limitation, Greenhalgh strings together 32 sites, adds all of the ons and offs, and stores them as a binary number. The result is the ability to uniquely tag more than two billion individual browsers. To make it easier on the website, the decimal number he stores is converted into a base36 string, so 169ze7 is used to represent 71009647, or lm8nsf is used to represent 1307145327. Of course, a less scrupulous website could perform the same tracking in a way that was less transparent.

Once someone visits Greenhalgh's PoC page in normal browsing mode, the unique identifier will persist even when viewing the page with privacy mode turned on. What's more, other sites—for instance, this one—will be able to read the identifier, allowing the tracking of users across large numbers of websites. These abilities fly in the face of what most users have come to expect. Typically, turning on privacy mode prevents websites from reading any previously set cookies. And unlike HSTS Super Cookies, most standard cookies can be read only by the Internet domain that set them.

Fortunately, except for people using the Safari browser on an iPhone or iPad, it's possible to flush the browser flags that make HSTS Super Cookies possible. All that's required is that before switching to privacy mode a user delete all cookies. Every standard browser—with the exception of Safari on iDevices—will also flush the HSTS settings. (Unfortunately, these settings appear to be difficult or impossible to remove when using Safari on iPads and iPhones, Greenhalgh said.) He found no evidence HSTS flags set in privacy mode are carried over into normal browsing, meaning people who have visited a site only incognito are safe from the attack.

HSTS Super Cookies are a good example of how the introduction of new features–even those that provide much-needed security improvements—can turn into holes hackers can exploit. The whole point of HSTS is to ensure a browser always uses HTTPS when making subsequent visits to a website that supports the mechanism. Browser developers almost certainly wanted those flags to carry over from normal mode to privacy mode to ensure privacy-minded users received the benefit of this protection. Now that there's a viable way of using HSTS to uniquely identify these users, developers will surely rethink their decision, but their options may remain limited.

Post updated to add details about recent fixes in Firefox.