HSTS Supports Targeted Surveillance

Website Maintenance Alert

Due to scheduled maintenance, the USENIX website will not be available on Tuesday, December 17, from 10:00 am to 2:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience.

If you are trying to register for Enigma 2020, please complete your registration before or after this time period.

Authors: 

Paul Syverson and Matthew Traudt, U.S. Naval Research Laboratory

Abstract: 

HTTP Strict Transport Security (HSTS) was introduced to force clients to use HTTPS connections on sites that support it, thus preventing Man in the Middle and other attacks. HSTS has always been understood to potentially allow sites to track visiting clients, but this security threat has been considered outweighed by the security benefits it provides. With specific examples, verified on a website constructed to test them, we show that tracking is far more significant than previously recognized. We also demonstrate how to use our approach to censor individuals or classes of visiting clients. Further, we describe and demonstrate how third parties, such as site analytics services, can track clients across multiple domains. We discuss possible changes to allow users to control HSTS settings and better manage their security, and we compare and complement HSTS with HTTPS Everywhere, a popular browser extension with similar goals.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {220225,
author = {Paul Syverson and Matthew Traudt},
title = {{HSTS} Supports Targeted Surveillance},
booktitle = {8th {USENIX} Workshop on Free and Open Communications on the Internet ({FOCI} 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/foci18/presentation/syverson},
publisher = {{USENIX} Association},
month = aug,
}