From ed9cc4e26445f4e25fab2f58857d9153bafe31c6 Mon Sep 17 00:00:00 2001
From: Frank Sauerburger <frank@sauerburger.com>
Date: Wed, 30 Jan 2019 10:55:23 +0100
Subject: [PATCH] Add information about TLS tracking

---
 app/assets/index.html | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/app/assets/index.html b/app/assets/index.html
index 341ee3d..cc5b483 100644
--- a/app/assets/index.html
+++ b/app/assets/index.html
@@ -16,6 +16,29 @@
   <main>
     <p>
       This page demonstrates how TLS can be abused to track users employing HTTP Strict Transport Security (HSTS).
+    </p>
+    <p>
+      This website uses a large number of subdomains named
+      bXXXX.tls-tracking.sauerburger.com where X represents an arbitrary digit.
+      The subdomains can be accessed via HTTP or HTTPS. If the browser requests
+      the secure connection, the server sets the HSTS policy. This means that
+      the
+      server tells the browser to remember that this subdomain should be
+      accessed only via HTTPS (not HTTP) in the future (usually for one year).
+      If the user enters the HTTP version, the browser automatically rewrites
+      the request from HTTP to HTTPS.
+    </p>
+    <p>
+      Every subdomain represents a single bit. It is either accessed via HTTP or
+      HTTPS. An arbitrary binary identifier can be encoded by accessing the
+      HTTPS version of the subdomains for those bits that are 1. In the future,
+      the same HTTP/HTTPS pattern for all subdomains makes it possible to
+      retrieve and decode the identifier.
+    <p>
+    <p>
+      This page lets you encode an arbitrary string into the HSTS storage of
+      your browser. To delete the HSTS storage and thus the string, you need to
+      clear (recent) browsing history.
     </p>
 		<div id="react-root"></div>
 	</main>
-- 
GitLab