google-site-verification: google30a059f9a075f398.html

Apple Blocks Sites From Abusing HSTS Security Standard to Track Users

CyberWisdom Safe Harbor Commentary on Apple Blocks Sites

What is most likely to be an overlooked story from thehackernews.com discusses things we don’t talk about but not realize that the security standard HTTP Strict Transport Security (HSTS) may be misused as a ‘supercookie’, even if they use “private browsing”, they can unknowingly follow the users of almost all online browsers. .
Apple has now added mitigation measures to its open-source browser infrastructure, WebKit, to support its Safari browser to prevent the discovery of the theoretical attacks that took place in 2015 on safari users.
HSTS-HTTP Strict Transport Security – is a great feature, if a user accidentally opens an insecure URL and always remembers to route the user to a secure connection, the site can automatically redirect the user’s network traffic to Protect page connections over HTTPS.

Since HSTS does not allow the website to store any information/value on the user’s web browser, in addition to remembering redirection information about turning it on/off for future use, using this information, someone interested in tracking network users can create what is called Supercookie, which can then be read by a cross-site tracking server to mark cross-site users.

The following is the working principle based on HSTS tracking:
To understand how HSTS supercookie tracking works, here is a simple example:
To track each user, the site assigns each visitor a unique random number, such as 909090, where the 32-character binary of 909090 is converted to 00000000000011011101111100100010.
To set this binary number for a specific user, the site will set HSTS policies accordingly for its 32 sub-domains (tr01.example.com, tr02.example.com…, and tr32.example.com), if HSTS The value is 1 if it is enabled for a subdomain, and 0 if it is not.
Now, each time a user visits the same website, it silently turns on invisible pixels in the background 32 subdomains, they represent bits in the binary digits, and it sends out to the server which subdomains are opened via HTTPS(1) and passed over HTTP (zero). ).
Oh! Combining the above values reveals the user’s unique binary value to the server, which helps the site/advertiser to tag the user at each site.
However, Apple now adds two mitigation measures to its Safari WebKit engine to address two aspects of the attack: creating tracking identifiers, and subsequently tracking users with invisible pixels.

Remedies

Mitigation Measures One: A solution to the problem of super cookie setup, attackers use long URLs to encode numbers in the primary domain subdomain and set HSTS on a wide range of subdomains at once.
Safari now limits the HSTS status to the loaded hostname or top-level domain plus one (TLD + 1), and “WebKit also limits the number of redirects that can be chained together, which will limit the number even if the delay is judged to be Accepted, it can also be set. ”
“This prevents the tracker from effectively setting up the HSTS across a large number of different bits; instead, they must individually access each domain that represents the active bits in the tracking identifier,” said Brent Fulgham, Safari WebKit engine developer.
“Although content providers and advertisers may determine that delays caused by single-source redirection to set many bits are not noticeable to the user, but need to redirect to 32 or more domains to set the identifier Bits are perceived by users, so they and content providers cannot accept them. ”

In mitigation two: Safari ignores the sub-resource request to block the HSTS status of the domain, where WebKit prevents operations such as invisible tracking pixels from enforcing HSTS redirection, causing the HSTS super cookie to become a zero-only bit string.
However, Apple does not have any individuals, organizations or any advertising company using HSTS supercookie tracking to locate Safari users.

Read More…

If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a ‘supercookie’ to surreptitiously track users of almost every modern web browser online without their knowledge even when they use “private browsing.” Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after Engaging post, Read More…

thumbnail courtesy of thehackernews.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Apple Blocks Sites From Abusing HSTS Security Standard to Track Users

Tags: