Most modern browsers come with special private modes meant to help users hide their surfing habits from coworkers or family and/or try to prevent sites from tracking their online activity. That doesn’t mean spy agencies or ISPs won’t be able to see what sites users access — that’s not what private browsing does, as Eric Schmidt has recently learned — but that, in theory, users might guard their privacy to some extent. However, as Business Insider reveals, private browsing isn’t exactly as private as you thought it was.
It looks like some sites are still able to track users even if their customers opt to visit them in private/incognito modes, as one researcher has discovered.
While private modes prevent sites from saving cookies on a machine, the bits of information that allow sites to track users and offer various features based on their preferences, some “super cookies” have been discovered that can be used to track activity even in private mode, without the user knowing what’s going on.
Apparently, a security-related browser feature called “HTTP Strict Transport Security” or HSTS, tells a website that it has to always be accessed using a secure, encrypted connection, no matter whether the user is browsing in regular or private mode.
Because HSTS info is always constant, websites can use the feature to add tracking numbers to HSTS information, and thus track users.
Such complex HSTS super cookies are apparently rather difficult to delete, especially from iOS devices used for browsing the web privately in Safari, security researcher Sam Greenhalgh reveals.
Disabling HSTS would terminate super cookie tracking, but it would also stop encrypted communication with websites.
It’s not clear how many sites are using the technique, with the researcher saying that major online retailers aren’t likely to stain their reputation by employing such tracking methods.
More details about this privacy matter are available at the source links below.