|
|
|
|
|
|
by bonyt
3075 days ago
|
|
|
Here is an interesting dilemma: should HSTS persist in incognito mode? If not, then this becomes bad advice, because all the attacker has to do to disable HTTPS is not redirect http sites to https ones (sslstrip). If so, then the list of sites for which your browser attempts HTTPS connections without being told to is the list of sites you’ve accessed in the past. This information could become a supercookie allowing sites to identify and track you even in incognito mode. https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-bro... |
|
|
Here’s a project that uses this fact to look up browser history: https://github.com/diracdeltas/sniffly