HSTS Supports Targeted Surveillance

Authors: 

Paul Syverson and Matthew Traudt, U.S. Naval Research Laboratory

Abstract: 

HTTP Strict Transport Security (HSTS) was introduced to force clients to use HTTPS connections on sites that support it, thus preventing Man in the Middle and other attacks. HSTS has always been understood to potentially allow sites to track visiting clients, but this security threat has been considered outweighed by the security benefits it provides. With specific examples, verified on a website constructed to test them, we show that tracking is far more significant than previously recognized. We also demonstrate how to use our approach to censor individuals or classes of visiting clients. Further, we describe and demonstrate how third parties, such as site analytics services, can track clients across multiple domains. We discuss possible changes to allow users to control HSTS settings and better manage their security, and we compare and complement HSTS with HTTPS Everywhere, a popular browser extension with similar goals.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {220225,
author = {Paul Syverson and Matthew Traudt},
title = {{HSTS} Supports Targeted Surveillance},
booktitle = {8th {USENIX} Workshop on Free and Open Communications on the Internet ({FOCI} 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/foci18/presentation/syverson},
publisher = {{USENIX} Association},
}