Private browsing modes on most modern browsers are a nice way to at least partially cloak your online habits. But a new breed of super cookies can apparently bypass those privacy modes and keep track of what you're looking at all the time.

Ars Technica reports that a chink in the HTTP Strict Transport Security protocol makes it possible to fingerprint users who browse sites, even when they're using a privacy mode like Chrome's Incognito Browsing. HTTP Strict Transport Security is usually used to ensure that users only interact with the correct servers when using HTTPS connections, by flagging how one type of encryption should be used for all future interactions.


But security researcher Sam Greenhalgh has used the feature to create a new tool called HSTS Super Cookies. Just like normal cookies, they fingerprint a user when they're browsing without a privacy feature turned on, so they can be used to identify them at a later date. But these new cookies are visible even when using privacy modes, and can also be read by websites from multiple domain names, not just the original provide. Combined, that means that these super cookies will allow any number of websites to track a users movements on the web, even when they're using a private browsing mode. You can read more detail about how it works over on Ars Technica.

The vulnerability currently affects all versions of Chrome, Safari, and older versions of Firefox (33 or earlier). In some browsers, it's possible to flush the cookies: you just need to delete all cookies before you enter private browsing mode. Sadly, that doesn't seem to work on iPad and iPhone, though. Regardless, it's a rather depressing example of how even security features can be abused to compromise privacy. [Ars Technica]

Image by Alejandro C under Creative Commons license