Researcher says HTTPS can track You

By: Robert Siciliano  |  January 27, 2015

Perhaps you’ve read that “HTTPS” at the start of a website address means that the site is secure, encrypted. However, a feature of the HTTPS can track you, says an article at

HTTP is not secure. Carnegie Mellon University in a Register article states “HSTS”, which is “Strict Transport Security”  redirects users to HTTPS. The HSTS authors decided that this redirection every single time was a bit much, so they came up with a feature that browsers could remember regarding the HSTS policy of visited sites. I know, a LOT OF INFORMATION.

The Register article goes on to explain that this feature is a “super cookie.” If you use a redirected site, an HSTS “pin” is set. It’s unique to you and the site you visit. Sam Greenhalgh says, as quoted in the article, “Once the number is stored it could be read by other sites in the future. Reading the number just requires testing if requests for the same web addresses are redirected or not.”

The browsing modes of incognito or private have no effect, continues the article. IE doesn’t support HSTS, but Chrome, Firefox and Opera browsers permit HSTS flags to be cleared.

Safari is a different story, says Greenhalgh. The article quotes him: “When using Safari on an Apple device there appears to be no way that HSTS flags can be cleared by the user. HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be ‘branded’ with an indelible tracking value that you have no way of removing.”

Think of all of this as a kind of fingerprinting of the user, you. A crook who runs a malicious site is capable of exploiting this feature. However, Google has reported to Greenhalgh that it’s “not practical” to “defeat such fingerprinting.” Its not practical getting hacked either.

Protect your privacy:

  • Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  • Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  • Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  • Only friend or connect with people online you know in real life.
  • Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  • Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow

Robert Siciliano is an identity theft expert to discussing  identity theft prevention.

About Robert Siciliano

Follow Robert Siciliano on Google+


Not a member? Become a member (Free)

Forgot Password?