CyberWisdom Safe Harbor Commentary on Apple Blocks Sites
Mitigation Measures One: A solution to the problem of super cookie setup, attackers use long URLs to encode numbers in the primary domain subdomain and set HSTS on a wide range of subdomains at once.
Safari now limits the HSTS status to the loaded hostname or top-level domain plus one (TLD + 1), and “WebKit also limits the number of redirects that can be chained together, which will limit the number even if the delay is judged to be Accepted, it can also be set. ”
“This prevents the tracker from effectively setting up the HSTS across a large number of different bits; instead, they must individually access each domain that represents the active bits in the tracking identifier,” said Brent Fulgham, Safari WebKit engine developer.
“Although content providers and advertisers may determine that delays caused by single-source redirection to set many bits are not noticeable to the user, but need to redirect to 32 or more domains to set the identifier Bits are perceived by users, so they and content providers cannot accept them. ”
In mitigation two: Safari ignores the sub-resource request to block the HSTS status of the domain, where WebKit prevents operations such as invisible tracking pixels from enforcing HSTS redirection, causing the HSTS super cookie to become a zero-only bit string.
However, Apple does not have any individuals, organizations or any advertising company using HSTS supercookie tracking to locate Safari users.
If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a ‘supercookie’ to surreptitiously track users of almost every modern web browser online without their knowledge even when they use “private browsing.” Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after Engaging post, Read More…
thumbnail courtesy of thehackernews.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »