q: HSTS priming

[Thorin-Oakenpants]

snip

[crssi]

You can defend HSTS pining by deleting file SiteSecurityServiceState.txt in the profile and create a folder with exact same name.

[crssi]

I am not sure, but if I remember correctly in the past after FF update process did repaired the access to this file, so all of the sudden it had normal access. To avoid this you can "change it" to folder, in which case update is not able to mess it up. But, I would not bet to what I say.

Does it not stop HSTS tracking?
When I go to http://www.radicalresearch.co.uk/lab/hstssupercookies/ eveytime I have a different ID, even if I open many same windows/tabs in parallel.
At least I did observed this behavior in the past.
But, I have retest it again just now with a text file instead of folder and it does not make a difference, so every time different ID.

Or, I have messed up everything in my depleted memory. ;)

[earthlng]

in our case, only apply when 1st party is HTTP

if the main page is HTTP then the mixed-content-blocker will never kick in and therefore neither will HSTS Priming.

HSTS Priming will be removed in FF59 anyway, no need to change anything now.

HSTS supercookie is thwarted by having no mixed content.

that's definitely not true. The demo site uses HTTP for its main page on purpose.

every single page load is a new id - same window, same tab, not clearing anything .. sweeet

yeah well that's because the site is very old and nobody cared to get new certs for all the subdomains they use in the test. If you would load the site with the network manager open, you'd see that all the requests have an exclamation mark, indicating that "a security error prevented the site from being loaded". Now all you'd have to do is open the console and see all the cert errors, like "b-hsts-lab.radicalresearch.co.uk:443 uses an invalid security certificate. The certificate expired on ..."

[crssi]

Thanks.. so FF59 to the rescue, since unfortunately I have too many breakages when block mixed content. 😢

[earthlng]

HSTS Priming was meant to help unblock certain images and whatnot. Removing it won't help you at all with too many breakages

[crssi]

Now I am also not sure that we are on the same page. Do we talk here for 1240 and 1241?

[earthlng]

HSTS Priming is 1242 security.mixed_content.send_hsts_priming

edit: but both prefs in 1242 will be removed in FF59

[Atavic]

Privacy/Security

Domain Name: HSTSPRELOAD.ORG
Registrant Organization: Google Inc.

[crssi]

Is this false or deprecated?
Not the demo page, but "avoidance" method.

[fmarier]

https://bugzilla.mozilla.org/show_bug.cgi?id=1447011

[Atavic]

@crssi The test page was focused on Safari.

[crssi]

Thank you @Atavic.
That demo page worked perfectly on any desktop and mobile browser that comes on my mind at that time, even if it was focused to Safari only.

[Atavic]

http://web.archive.org/web/20180105223717/http://www.radicalresearch.co.uk/lab/hstssupercookies is still setting tracking ids (tested on two browsers).

[crssi]

@Atavic
I cannot reproduce that its working on IE, Edge, Firefox, mobile Safari, mobile Firefox...
Even simple page reload generates a new/different id.

[Atavic]

Dude here linked this test:
http://f.vision/

...where friggin' HSTS is the only hash big-brothering me:

HASHES:

HSTS 400f6d
WEBGL N/A
CANVAS N/A
PLUGINS N/A
AUDIO N/A
CLIENT RECTS N/A
FONTS N/A