Sign in / up

back to article Apple moves on HSTS abuse in Safari

Apple has moved to block an abuse vector in the WebKit framework that underpins its Safari browser and allows HSTS to be abused to act as a 'supercookie' for user tracking. HSTS – HTTP Strict Transport Security – allows a Web site to declare to browsers that it's only accessible via HTTPS. If a user tries to hit the HTTP-only …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Charlie Clark Silver badge

    Who?

    Helme wrote

    Previous person mentioned was Greenhalgh. I assume you mean Christian Helme?

    0 0 Reply
  2. katrinab Silver badge

    So now you register dblck00.com though to dblckFF.com and use those for tracking?

    2 1 Reply
    1. handleoclast
      Reply Icon

      dblck

      So now you register dblck00.com though to dblckFF.com and use those for tracking?

      Wouldn't same-origin policy stop that from working? If implemented correctly in the browser, of course.

      1 0 Reply
      1. GnuTzu
        Reply Icon

        Re: dblck -- same-origin

        Geesh, I haven't check this setting in over a decade. Time for an article on how all the browsers are going to deal with this.

        3 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Google had a large hand in the development of HSTS

    So its hardly surprising that it can be so easily subverted to track people against their wishes.

    5 2 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like