How to prevent HSTS tracking in Firefox

HTTP Strict Transport Security (HSTS) was designed to help secure websites (those using HTTPS) by declaring to web browsers that they should communicate only via HTTPS with the server to protect connections against downgrade attacks and cookie hijacking.

Mozilla implemented support for HSTS in its current form in Firefox in 2014 and it has been active in all Firefox versions ever since.

Ars Technica were among the first to raise concerns about the implementation of HSTS in web browsers as it allowed site operators to plant supercookies in browsers using the technology that was designed to improve user security.

A demo site was created by Sam Greenhalgh to demonstrate the concept. When you visit the site in a browser supporting HSTS, you are assigned a unique ID which persists across browser sessions and can be used to track you because of it.

tracking firefox

Note: This issue is not limited to the Firefox web browser as Google Chrome and other browsers who have implemented the feature are vulnerable to HSTS tracking as well.

htst super cookies

How HSTS is handled by Firefox currently

Firefox saves HSTS information to the file SiteSecurityServiceState.txt which you find in the root of your Firefox profile folder.



The easiest way to open it is to load about:support in Firefox's address bar and to click on the "show folder" button on the page after it has loaded. This opens the profile folder of Firefox in the default system file browser.

sitesecurityservicestate

When you open the file in a plain text editor you will get a list of domain names and values associated with them including an expiration date.

htst information

Firefox handles HSTS in private browsing mode and regular browsing mode differently.

  1. Regular browsing mode: HSTS persists across sessions.
  2. Private browsing mode: HSTS information are deleted after the session.

Note that sites can access HSTS information created during regular browsing sessions when you enter private browsing mode in that session.

Protection against HSTS tracking

Unlike cookies, HSTS offers no whitelist or blacklist approach. The feature is enabled by default and there appears to be no preference to disable it.

Even if there would be an option to do so, it would affect security while browsing the Internet.

1. Only use Private Browsing Mode

private browsing

Since Firefox is clearing HSTS information after you close private browsing sessions, it is currently the best option to prevent supercookie tracking without compromising security.

To launch Firefox in private browsing mode, use the shortcut Ctrl-Shift-P, or hit the Alt-key and select File > New Private Window.

Read also:  Firefox's New Form Autofill is awesome

2.  Clear the Site Preferences on exit

clear site preferences

The second option that you have is to clear Site Preferences whenever you close the Firefox browser. This gets rid of all HSTS information saved to the SiteSecurityServiceState.txt file but impacts other site specific preferences such as site-specific permissions or zoom levels as they get cleared as well by the operation.

Note: This works in Google Chrome as well. Tap on Ctrl-Shift-Del to open the clear browsing data dialog in the browser. Make sure "cookies and other site and plugin data" is selected and hit clear browsing data afterwards.

This will remove cookies and site preferences as well.

3. Remove entries from the HSTS file manually

The HSTS file is a plain text document which means that you can manipulate data in it easily using text editors.

Make sure Firefox is closed before you do so as content will be overwritten when Firefox is terminated.

The method gives you full control over HSTS but it requires manual intervention regularly, and may not be suitable because of this.

One option that you may have is to keep select sites in and make the file read-only afterwards to block new entries to it.

You will still need to edit it manually regularly as HSTS information have an expiry date.

4. Remove HSTS file data automatically

Programs like CCleaner support the cleaning of HSTS Supercookies but you can also run a local command such as echo ' ' >/SiteSecurityServiceState.txt on the file regularly to remove it. If you add it to a batch file and run it on system start or shut down, then you should not have to worry about HSTS information persisting across sessions.

5. Make the HSTS file read-only

read-only

This radical approach blocks Firefox from saving information to the HSTS file. While that is effective in preventing tracking, it means that the browser cannot make use of HSTS to improve security.

To make it read-only on Windows, right-click the file and select properties from the context menu. Locate the read-only box on the properties page and check it. Click ok afterwards to apply the change. (Thanks Pants)

Summary
Article Name
How to prevent HSTS tracking in Firefox
Description
Find out how to block websites from planting HSTS supercookies in Firefox that can track you across sessions.
Author

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to How to prevent HSTS tracking in Firefox

  1. Tom Hawack October 16, 2015 at 11:34 am #

    This is most interesting and I feel ashamed of not having been aware of this when I am so deeply committed to privacy.
    This could be an argument in favor of HTTPS Everywhere, the extension, together with creation of an empty SiteSecurityServiceState.txt set to Read-only. Correct me if I'm wrong.

    Well, you learn every day. Many thanks, Martin.

    • Haakon October 16, 2015 at 8:25 pm #

      It should be noted HTTPS Everywhere isn't actually "everywhere" but where "every" is for what exists in its Rules: in the menu see View All Rules. A great tool in anyone's browser privacy strategy, but not a fix-all.

  2. Inolvidable October 16, 2015 at 12:22 pm #

    Very very useful piece of information I was unaware of. Thanks Martin

  3. Corky October 16, 2015 at 12:38 pm #

    Or just use Pale Moon, problem solved.

    • anon October 17, 2015 at 1:06 pm #

      HSTS is a web standard.

      https://www.ietf.org/rfc/rfc6797.txt

      • Corky October 17, 2015 at 6:59 pm #

        Isn't the problem, as Martin mention in the article, getting issued a unique ID which persists across browser sessions, when i used the site linked in the article i get a different ID when doing each of the tests listed.

        I haven't looked into it anymore than that as i just assumed as i wasn't getting the same tracking ID each time that the tracking wouldn't work.

      • Moonchild October 21, 2015 at 1:48 am #

        It's optional to enable/disable HSTS in Pale Moon, is what Corky was trying to say. Privacy vs. security choice.

  4. Pants October 16, 2015 at 1:10 pm #

    I mentioned this to Martin because CCleaner was finding "cookies" that shouldn't have been there, and my initial thought was something fundamental had broken in an extension or in FF. I did some testing in a new clean portable FF but the problem persisted .. turns out recently CCleaner added entries in that txt file under "cookies"

    I am getting concerned about the myriad of places where "tracking data" is being stored, with no fine tuning ability to clean that #h!T out, if any ability at all - think dom storage, indexeddb, seer/necko databases and more. I don't consider wiping site prefs as a solution, as it disrupts too many other features (I save and allow 20 odd cookies for convenience,
    and no doubt there are a couple of specific site pref overrides from my defaults).

    I personally am going the route of a read only empty txt file. It's a trade off but the chances of getting stung are slim to none, and there are other countermeasures. Or since it's just metadata on my local drive - ccleaner will do the job.

    I also want to say blocking the use of the SiteSecurityServiceState.txt does not stop HSTS tracking - at least not fully. I don't profess to knowing how this all works, or where it's being stored - but using the test site (and I have no dom storage, no cookies, no indexeddb, nothing, no disk cache, nada, zip: I am screwed down tighter than a nun's arse) - across any FF session the unique code persists. NOTE: there is no cross-contamination between normal browsing and private browsing modes - but you are still tracked across that mode.

    FF normal mode - until I restart FF, the site "READS" my unique code.
    FF private browsing - If I start a new private window, UNTIL that window is closed, it tracks me across it - i.e each private window has its own session/unique code

    *sigh* I'm kinda getting tired of all this .. maybe I'll just get ahead of the game and release my dick picks and home made hairy midget porn .. god only knows I've already leaked them three times to that TMZ reporter .. I'll try again this weekend guys

    • Tom Hawack October 16, 2015 at 2:00 pm #

      Hi Pants,

      I've been doing some testing on http://www.radicalresearch.co.uk/lab/hstssupercookies ("SuperCookieID") together with my SiteSecurityServiceState.txt file.

      I didn't delete Firefox's site preferences, only cache and cookies even if the latter two don't change anything to the problematic here on Firefox.

      SiteSecurityServiceState.txt normal : SupercookieID remains the same even after restart ;
      SiteSecurityServiceState.txt 0byte Read-only : SupercookieID changes after restart ;
      Whatever SiteSecurityServiceState.txt AND Private Mode : SupercookieID changes every time it is checked (without restart)

      So now I'm testing SiteSecurityServiceState.txt 0byte Read-only together with HTTPS Everywhere which I've reinstalled after having dropped it for some time. Seems at this time to be a good combination.

      • gregory May 21, 2016 at 12:29 am #

        What's your setup now with regards to HSTS now that you've finished your testing (presumably)?

  5. Pants October 16, 2015 at 1:17 pm #

    Martin - you have written "HTST" a number of times - it should be "HSTS" - search and replace time dude

  6. Jonny October 16, 2015 at 2:07 pm #

    So will we now have a FF and Chrome add-on appearing soon to tackle this in an easy way on the add-on toolbar. Can an add-on do this.

    • Pants October 16, 2015 at 3:40 pm #

      I'm thinking some sort of script injection that strips out any attempts to store a unique identifier - not sure what this entails or even feasible. I'm also thinking nothing will happen because this has been around for 18months

  7. Belga October 16, 2015 at 7:02 pm #

    This addon can help to delete Firefox's site preferences (among other things about privacy): https://addons.mozilla.org/en-GB/firefox/addon/clickclean/
    (see on Gizmo)

  8. G-EO October 16, 2015 at 8:10 pm #

    Something I've noticed,

    NoScript adds - secure.informaction.com:HSTS 0 16724 1602697055679,1,0
    and
    Firefox adds - blocklist.addons.mozilla.org:HSTS 0 16724 1476553172208,1,0

    to SiteSecurityServiceState.txt. Both entries are persistent across browser sessions regardless of whether you have Private Browsing Mode enabled, or you clear Site Preferences.

    Thanks, Martin & Pants for bringing this subject to our attention.

    • Hy November 15, 2015 at 2:19 am #

      Yes, I've noticed those two domains persisting as well, along with two more from Mozilla: blocklist.addons.mozilla.org and publicsuffix.org.

      I, too, am running in Private Browsing mode always, and run CCleaner every time after closing the browser. Yet, the three from Mozilla (and one from NoScript) persist. I even manually removed them from the txt file, saved the file that way, and yet, they always return.

      Anyone have any thoughts at all about this? I don't like that Mozilla has three persistent domains in there that are or may be, or at least are able, to track me. Thanks in advance for any help!

  9. Gabriel October 16, 2015 at 11:05 pm #

    I use "selectivecookiedelete" addon for Firefox.
    You can whitelist (or blacklist) sites and when you close the browser it will delete all cookies that are not in the whitelist automatically.
    Works for me.

    • Gabriel October 16, 2015 at 11:11 pm #

      Nvm... After some tests I see it doesn't delete super cookies :/

  10. Leandro October 17, 2015 at 1:11 am #

    ConfigFox' next version has a tool for it. I call it Dummy Files:
    http://s2.postimg.org/dkbsii7g9/clipboard20151016200920.png

    • Martin Brinkmann October 17, 2015 at 7:56 am #

      That's really cool Leandro, let me know when it is ready.

      • Leandro October 17, 2015 at 2:31 pm #

        Sure. I'll keep you posted.

  11. Gonzo October 17, 2015 at 5:28 am #

    I don't want to wipe all of site prefs so I added this to my CCleanear winapp2.ini

    [Firefox HSTS Storage]
    LangSecRef=3026
    DetectFile1=%AppData%\Mozilla\Firefox\Profiles\*
    Default=False
    FileKey1=%AppData%\Mozilla\Firefox\Profiles\*|SiteSecurityServiceState.txt

    • Pants October 17, 2015 at 8:03 am #

      CCleaner already detects and cleans the SiteSecurityServiceState.txt - leaving in any allowed domains

  12. Pants October 17, 2015 at 8:02 am #

    For those who want to know what's going on, read this: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

    By emptying and rendering the SiteSecurityServiceState.txt read only, you are NOT totally defeating HSTS tracking. Everytime you restart your FF, you start clean and would get assigned a new unique ID. But that will persist until you close FF. Not sure about you, but my FF stays open for days at a time. If the txt file isn't being used, then where the hell is that information being stored?

  13. wybo October 17, 2015 at 11:53 am #

    It is getting more complicated by the day to keep ones privacy.

    I will wait until there is an extension to zap HSTS.

    Thanks Martin for this informative article.

  14. CHEF-KOCh October 17, 2015 at 2:32 pm #

    I highly doubt that this will prevent the browser from just create another file if it's needed. You can't really prevent it without blocking the entire domain, so the tip with ccleaner is better imho. In fact hsts isn't always evil, as mentioned it's a standard which also can be used for evil things, same like normal cookies, webrtc, webgl, fonts and and and. So be careful with this trick.

    CCleaner can since the latest 2 releases clean HSTS, also on Chrome without any bigger problems.

  15. Hans van Aken October 17, 2015 at 4:36 pm #

    With "Cookie Controller" you can destroy supercookies selectively.
    https://addons.mozilla.org/de/firefox/addon/cookie-controller/?src=search

    Thank you, Martin, for another great article. I'm looking forward to what
    will be presented some day by Pants, Leandro or somebody else.

  16. mantou October 26, 2015 at 2:18 pm #

    1.How to add your own HSTS records?

    2.http://www.radicalresearch.co.uk/lab/hstssupercookies
    How to store the data, where to store?

    thx

Leave a Reply