What are HSTS Super cookies and why are they dangerous?
HSTS (HTTP Strict Transport Security) is a mechanism to forcibly establish a secure connection with the website.
This mechanism is also called HSTS Super cookies, because the website passes the browser the flag, which is stored, it is difficult to remove it and with its help you can be identified at any time.
How HSTS Super cookies works?
When you visit a website with a secure connection (https), browser displays a special icon in the address bar, which means that the connection is encrypted and cannot be intercepted by third parties.
Even if you were directed to the website by an unsecured link "http://", after reading the HSTS header (if it is enabled on the website), browser will automatically switch to a secure connection "https://". Thus for each domain the HSTS-flag (in the form of "true" or "false") is stored in browser for a long time (often even using Private Browsing mode) and can be accessed from any other domain (unlike cookies, which are available only for the domain that set them).
With the help of the HSTS mechanism you can be identified even after the IP address change when cookies and plug-ins are disabled.
How to protect yourself from HSTS Super cookies?
New browsers Opera, Firefox and Chrome allow removing HSTS.
In the Private Browsing mode of the Firefox browser version 34.0.5 or higher HSTS value are not established during operation.
You can use old version of browsers. (For example, Opera version 12 or Internet Explorer version 11 or lower).
Unfortunately, in the Safari browser does not only store HSTS Super cookies but also copies them to the iCloud service, so it is virtually impossible to delete them.
How to remove HSTS Super Cookies in Firefox:
Close all open tabs and windows of the desired site.
Remove the cookies and browsing history.
Type in the address bar: about:permissions and then click “I'll be careful, I promise!”
Select a site from the list and click “Forget about this site”.
How to remove HSTS Super Cookies in Chrome / Opera:
Type in the address bar: chrome://net-internals/#hsts (for Chrome) or opera://net-internals/#hsts (for Opera).
Enter the desired domain name in the field “Delete domain” and click “Delete”.
Enter the domain name in the field “Query domain” and click “Query”. If the answer is “Not Found”, it means that HSTS are removed.