When youre visiting a website with a secure connection your web surfing app displays a padlock icon.
The icon indicates that your connection to the site is encrypted and cant be interfered with or intercepted.
This is a unique value that was generated by JavaScript in this page.
Different web browsers dont behave exactly the same way.
This is a unique value that was generated by JavaScript in this page.
Each web address responds with HSTS enabled or disabled depending on the address.
Once the number is stored it could be read by other sites in the future.
Reading the number just requires testing if requests for the same web addresses are redirected or not.
Using incognito or private modes means that existing cookies wont be shared with sites you visit.
Browsers also let you entirely delete cookies that could be used to track you.
It is only by intentional misapplication that HSTS can be exploited to track users.
Some browsers such as Google Chrome, Firefox and Opera do mitigate the issue.
Erasing cookies on these browsers also erases HSTS flags so any stored value will be cleared.
However, unlike cookies, existing HSTS flags are still shared with sites when using incognito or private windows.
Considerably more worrying is the behavior displayed by Safari, the default online window for iPad and iPhone.
HSTS flags are even synced with the iCloud service so they will be restored if the gear is wiped.
you might read morehereandhere
Ultimately they conclude that there is a necessary trade-off between security and privacy.
This article has been published with permission of Sam Greenhalgh in its entirety.
you might also read the entire article onRadical Research.
source: www.techworm.net
