Add information about TLS tracking

ed9cc4e2 · Frank Sauerburger · 91295ab1 · ed9cc4e2
Verified Commit ed9cc4e2 authored 6 years ago by Frank Sauerburger
--- a/app/assets/index.html
+++ b/app/assets/index.html
@@ -16,6 +16,29 @@
  <main>
    <p>
      This page demonstrates how TLS can be abused to track users employing HTTP Strict Transport Security (HSTS).
+    </p>
+    <p>
+      This website uses a large number of subdomains named
+      bXXXX.tls-tracking.sauerburger.com where X represents an arbitrary digit.
+      The subdomains can be accessed via HTTP or HTTPS. If the browser requests
+      the secure connection, the server sets the HSTS policy. This means that
+      the
+      server tells the browser to remember that this subdomain should be
+      accessed only via HTTPS (not HTTP) in the future (usually for one year).
+      If the user enters the HTTP version, the browser automatically rewrites
+      the request from HTTP to HTTPS.
+    </p>
+    <p>
+      Every subdomain represents a single bit. It is either accessed via HTTP or
+      HTTPS. An arbitrary binary identifier can be encoded by accessing the
+      HTTPS version of the subdomains for those bits that are 1. In the future,
+      the same HTTP/HTTPS pattern for all subdomains makes it possible to
+      retrieve and decode the identifier.
+    <p>
+    <p>
+      This page lets you encode an arbitrary string into the HSTS storage of
+      your browser. To delete the HSTS storage and thus the string, you need to
+      clear (recent) browsing history.
    </p>
 		<div id="react-root"></div>
 	</main>