Hacker News new | past | comments | ask | show | jobs | submit login

From the original github commit:

> With all these dozens of domains (over a hundred), it sure smells like they're incorporating a HSTS fingerprinting attack into their product portfolio. HSTS fingerprinting enables a server to tag every browser with an n-bit (ie: 100 domains is 100 bits) unique identifier so you can track that browser whenever it returns (or wherever it goes). Since users cannot clear their "HSTS cookies" as it were, this fingerprint remains permanently associated with that browser. > > Wonderful feature for an ad agency to track each visitor indefinitely. Even while in Private Browsing / Incognito mode.

Okay. Let's eradicate them from the surface of this planet.




Or, more constructively, go after them in the EU, where such practices would surely be illegal under the so-called cookie law (which is actually about storing information in a user's browser more generally, and not specific to cookies at all).

As long as that really is what they're doing, of course.


Couldn't they just use 100 subdomains for their 100 bits?

Maybe we need a browser extension (or just a website) that instructs your browser to make requests to the HTTPS version of domains that are found to be used to set HSTS cookies, thus "blowing the fuses" and making those domains unusable for providing bits of entropy.

In fact, rather than blowing all the fuses, the extension/website could blow just a random few, as a bit mask, giving you someone else's ID number and ruining the ad company's profiling/analytics. That way you would be helping people who weren't using this defence, rather than just having your visits not added to any profile.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: