Apple moves on HSTS abuse in Safari

Apple has moved to block an abuse vector in the WebKit framework that underpins its Safari browser and allows HSTS to be abused to act as a ‘supercookie’ for user tracking. HSTS – HTTP Strict Transport Security – allows a Web site to declare to browsers that it’s only accessible via HTTPS. If a user tries to hit the HTTP-only version of a site, they’ll be redirected to the HTTPS service. The bug in that feature was that a site could use the redirect information to act as a tracking supercookie, because the HSTS standard stipulates that Web browsers should remember a redirection for future use.

View full story