• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 9 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Creates a HSTS Supercookie to fingerprint a browser

HSTS Super Cookie

Proof of Concept - Created by Ben Friedland

http://www.bugben.com

Creates a HSTS Supercookie to fingerprint a browser

This is a proof of concept self-hosted application which will lay a "super cookie" using the HSTS web standard.

How it works

HTTP Strict Transport Security (HSTS) is a web security standard implemented by browsers via a Response header which instructs the browser to send subsequent requests to this particular URL over HTTPS, even if the original request was made using HTTP. When a browser receives a HSTS instruction, that instruction is retained no matter what. Even if you go incognito or private.

Why I made this

This HSTS vulnerability has been known about for a while, and - while others have implemented it - I've yet to see someone make the code available. I've always thought that the more transparent a vulnerability is, the more likely it is to be addressed. How this one is addressed is another question.

How I implemented it

It's actually kind of simple. I've created a very basic web server hsts.py which is hosted behind 24 subdomains (w[0-23].bugben.com, in this example). All of these endpoints send the Strict-Transport-Security header to instruct the client that future visits should be redirected to the https version of the page.

On the first visit

Upon the first request to the index page, a random 24 bit integer is generated by the client.

Let's say the number is 8396804. This will be your fingerprint.

I then convert this integer into binary:

100000000010000000000100

And then map these bits as flags, to request several URLs which are served with the HSTS header. Since this example has 1's in the positions of 0, 10 and 22, I'd request three URLs over https:

https://w00.bugben.com
https://w10.bugben.com
https://w22.bugben.com

I can now guarantee that subsequent visits to the http version of this URL will be redirected to https.

On the next visit

To read the super cookie, I instruct the client to visit all 24 URLs. In this example, since only three of those URLs were visited during the previous visit, I can safely assume only three of these requests will be redirected.

// simplified for clarity
for (var i = 0; i < 24; i++) {
    var url = 'http://w' + i + '.bugben.com/h.gif';     
    bitArray[i] = hsts.httpGet(url)   // returns true if the request was a redirect
}

I determine whether the requests were redirected by the browser, and create a bit array with that information.

Requested URL Was Redirected Bit
http://w00.bugben.com/a.gif True 1
http://w01.bugben.com/a.gif False 0
http://w02.bugben.com/a.gif False 0
http://w03.bugben.com/a.gif False 0
http://w04.bugben.com/a.gif False 0
http://w05.bugben.com/a.gif False 0
http://w06.bugben.com/a.gif False 0
http://w07.bugben.com/a.gif False 0
http://w08.bugben.com/a.gif False 0
http://w09.bugben.com/a.gif False 0
http://w10.bugben.com/a.gif True 1
http://w11.bugben.com/a.gif False 0
http://w12.bugben.com/a.gif False 0
http://w13.bugben.com/a.gif False 0
http://w14.bugben.com/a.gif False 0
http://w15.bugben.com/a.gif False 0
http://w16.bugben.com/a.gif False 0
http://w17.bugben.com/a.gif False 0
http://w18.bugben.com/a.gif False 0
http://w19.bugben.com/a.gif False 0
http://w20.bugben.com/a.gif False 0
http://w21.bugben.com/a.gif False 0
http://w22.bugben.com/a.gif True 1
http://w23.bugben.com/a.gif False 0

Starting to look familiar?

[1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0]

I then reconstruct that bit array into a integer again, and bam - I've retrieved your fingerprint.

100000000010000000000100 == 8396804

Why it won't be fixed

Because security.

Security seems to be favored over privacy in this case. HSTS is very important because it can prevent MITM attacks when people simply enter www.facebook.com into their browser at a new location. If the client didn't store the fact that you always expect facebook to be secure, then a man-in-the-middle could easily intercept the request and serve back a non secure spoofed version of the site.

Where it works

Chrome - very reliable. Works when switching to incognito or even across profiles.

Firefox - Not super reliable, doesn't transfer to incognito.

Safari - Especially scary - since the HSTS information is actually persisted to your iCloud account and is therefore retained across devices.

IE/Edge - Dunno, please contact me or create an issue if you know.

Demo

TODO: I need a wildcard SSL cert ($$$) to host a live demo. Care to donate to the cause? BTC: 17FJJYY2B11Bx7xx5HepjJ3xAdaB14UMiw

More Repositories

1

git-draw

Allows you to draw in your github heatmap
JavaScript
2,160
star
2

rikeripsum

Generates text - like lorem ipsum - but uses real English. Taken from random samplings of dialog spoken by Commander William Riker in Star Trek: The Next Generation.
HTML
141
star
3

profanity

A Python library to check for (and clean) profanity in strings.
Python
59
star
4

bugben

My home - bugben.com
Python
31
star
5

bart-crime

Scrapes crime update emails from BART and posts them publicly
Python
28
star
6

homecontrol

Control your home with your voice
Python
19
star
7

showertexts

A service to send a daily shower thought to users via text message.
Python
12
star
8

rick-roulette

A chrome extension which will randomly redirect youtube views to a Rick Roll video.
JavaScript
9
star
9

dotfiles

Ben's dotfiles
Ruby
4
star
10

Annoying-Image-Detector

Detects whether an image is a facebook screen capture, or a iphone screen shot, or omeagle, etc.
4
star
11

mytush

A utility to read map points from email attachments and push them to MyFord Touch / SYNC services.
Python
3
star
12

resume-renderer

Renders a github repo resume
Go
2
star
13

pydvorak

A Python curses app to help teach Dvorak
Python
2
star
14

busy-boy

Populate your GitHub contribution graph
JavaScript
2
star
15

tic-tac-terminal

Tic-Tac-Toe in the terminal
Python
2
star
16

lactose-intolerance

JavaScript
2
star
17

loggish

Log sample project
JavaScript
1
star
18

nato-alphabet-trainer

Python command line nato alphabet trainer.
Python
1
star
19

word-alert

A simple app my dad requested which displays a random word every few seconds.
HTML
1
star
20

sfmovies

JavaScript
1
star
21

awesome-gen

Generates awesome text
JavaScript
1
star
22

yp-scrape

Python
1
star
23

ben174.github.io

Profile page of Ben Friedland
HTML
1
star
24

pyano

Python
1
star
25

optimizations

A playground where I can keep my findings on various optimizations of code.
Python
1
star
26

pynsweeper

An attempt at a console minecraft game
CSS
1
star
27

blind-cuber

An app to assist cubers in memorizing faces on a Rubik's cube.
1
star
28

exchanger

Python
1
star
29

connect-four

Connect four challenge
1
star
30

bart

Get the bart departure times of the closest station
JavaScript
1
star
31

stickerletters

Python
1
star
32

tictactoe

Python
1
star
33

goyagi

1
star
34

ender-3-s1pro-pi-mount

A mount for the Enter 3 S1 Pro to replace the onboard display with a Raspbery PI - using https://github.com/jordanruthe/KlipperScreen
1
star
35

bugben-static-site

1
star
36

hipproblems

Hipmunk problems
Python
1
star
37

yadm-dotfiles

Vim Script
1
star
38

sit

JavaScript
1
star
39

bay-beacons

Leaderboards for beacons in the bay area.
Python
1
star
40

lunch-bot

Python
1
star
41

pi-bin

Bin dir for my raspberry pi
Shell
1
star
42

bartcrimes-www

Web UI for BartCrimes.com
JavaScript
1
star
43

angular-progress-directive

An Angular directive which renders a circular progress meter with two values: Expected and Actual progress (0.0 - 1.0)
1
star
44

ui-progresspie

An Angular directive which renders a circular progress meter with two values: Expected and Actual progress (0.0 - 1.0)
JavaScript
1
star
45

genemachine

Python
1
star
46

scornhole

Pi client for scornhole
Python
1
star
47

bomdotcom

Python
1
star
48

bid-helper

JavaScript
1
star
49

bo.gg

Python
1
star
50

angrates

A place for people to collaborate and rate episodes of Armstrong and Getty
Python
1
star
51

bencast

A little podcast feed which I can add whatever media I feel like listening to.
Python
1
star
52

balancier

Book balancer
Python
1
star