If you’re like most people, then you use Chrome’s Incognito Mode whenever you’re engaging in activities you don’t want other people to know about – like planning surprise parties.
If you like surprise parties as much as I do, then I have some bad news for you: new “Super Cookies” have been developed that can track you even when you’re using Incognito Mode and other private browsing modes.
What are super cookies?
Super cookies weren’t well-known until early in January 2015, when UK-based security researchers at RadicalResearch published a blog post explaining proof-of-concept behind HSTS Super Cookies.
Researchers explained how a “crafty website” could create these so-called super cookies and use the cookies to deliver massive amounts of private information.
The exploit relies on something called HTTPS Strict Transport Security, or HSTS. The super cookie needs to exploit this system and use it for something it’s not intended.
Here’s how it works:
-A user, let’s call him Mike, types a secure website URL into his browser
-Mike is using a browser with HSTS enabled by default – like Chrome or Firefox
-The secure website will reply to Mike’s browser request saying it should only connect to the secure website over HTTPS. From this point forward, all connections between Mike and the website are performed over HTTPS by default.
-The problem is that for HSTS to work, your browser has to store the data about which sites it must connect to over HTTPS. But that data can then be manipulated to fingerprint a specific browser.
-Here’s the real interesting part: since HSTS is a security feature, browsers leave it enabled whether you’re in private browsing mode or normal browsing mode. That’s why Incognito Mode and similar modes won’t prevent super cookies from tracking your system.
-Typically, when in private browsing mode, your computer doesn’t store any cookies, browsing history, or data from the websites you visit. Once the session is ended (you close your browser and exit private browsing mode), the data collected during that sessions is erased
Interestingly enough, RadicalResearch’s “proof of concept” for super cookies was actually creating a super cookie. Visit this page on RadicalResearch’s blog: http://www.radicalresearch.co.uk/lab/hstssupercookies
Then, open Incognito Mode and compare the two “tracking IDs”. They’re the same, right? Spooky.
Not the first time people have thought about super cookies
Super cookies have actually been thought about for quite some time. The Chromium team discussed the possibility of super cookies way back in 2011. A year later, PC Security firm Leviathan wrote a blog post talking about similar concerns.
But until now, we never had a great proof-of-concept for super cookies. Thanks to RadicalResearch, we now know exactly how super cookies could work. Now let’s see if malware authors and “crafty websites” are smart enough to figure out how to exploit this problem.
How to protect yourself from super cookies
The idea of super cookies has been around for quite some time. However, it’s unknown at this point whether or not any websites are actually using super cookies to exploit users.
Fortunately, you can still protect yourself from the threat of super cookies.
The best way to protect yourself is to erase your cookies before entering Incognito Mode. Chrome will automatically flush the HSTS database when you clear your cookies.
Firefox has a similar feature. However, Firefox has actually already fixed this problem by preventing HSTS settings from carrying over to and from private browsing modes. So kudos to Firefox.
Internet Explorer users are actually the safest when it comes to HSTS exploits: but it’s only because Internet Explorer doesn’t support HSTS at all.