[varenc]

This is possible! HSTS does apply to incognito to my knowledge

Here’s a project that uses this fact to look up browser history: https://github.com/diracdeltas/sniffly

[crunchatized]

At least it only works on chromium-based browsers. Firefox fixed the supercookie problem when opening up a private browsing session back in Firefox 34.0.5 after it was discovered.

Which then makes the HSTS preload list and HTTPS Everywhere extension all the more valuable to defend against active attacks.