Your browser’s incognito mode might not be a secure as you think. A researcher has come up with a proof of concept for Super Cookies, a type of data retention that could turn one of your browser’s biggest security features into its biggest privacy hazard.
Cookies are messages between a web server and web browser that get exchanged when a user requests an Internet site. Then, when the user returns to the same site, the website will recognize the user from the cookie it has stored. Essentially, cookies allow websites to fingerprint users and keep tabs on them—when they’re not in incognito mode. Presumably, the difference in incognito mode is that cookies are never exchanged.
Now Sam Greenhalgh, a technology and software consultant, has developed a proof of concept for HSTS Super Cookies, which can fingerprint users even in incognito mode. In order to show he has this capability, his site sets a tracking ID for each visitor. Visit the site as many times as you like in as many browsers and browser settings as you want; you’re still vulnerable to Super Cookies if the tracking ID remains the same.
HSTS stands for HTTP Strict Transport Security, a security protocol that ensures users only interact with a website via a secure HTTPS connection. For a more detailed explanation, check out Ars Technica’s thorough description.
Greenhalgh noted that he is aware of only one browser version that is invulnerable to HSTS Super Cookies: the latest version of Firefox, 34.0.5. Internet Explorer isn’t vulnerable for a different reason—it doesn’t support HSTS security in the first place.
Photo by Jeramey Jannene