At the Toorcon conference was demonstrated a new type of attack on the browser, allowing to find out which sites user visited before. The attack is applicable to websites that have HSTS protocols enabled for automation of forwarding to HTTPS when requesting a resource using the HTTP protocol.
It appears even if the user cleaned his history of visits (browsing history). To demonstrate the vulnerability was prepared a special page, which could analyze the opening in past of some popular websites. The vulnerability manifests itself well in Firefox and Chrome browsers, but also affects other browsers that support HSTS protocol. Only the Tor Browser is not vulnerable because of the limitation of precision timer.
Interesting that Chrome developers received reports about a year ago about a similar determining method of opened sites and the problem is still not fixed. If we refer to the site port 443 on the HTTP protocol (http://example.com:443), such address will cause an error if the site has not been opened earlier. If a site has been opened in the past and uses a HSTS flag, the browser will automatically replace the address to https://example.com:443 and the request will be successful.
Another vulnerability is related to the work of the mechanism of binding public keys(HPKP, HTTP Public Key Pinning), allowing to clearly identify which certificates of certifying centers are allowed to use on given website. This vulnerability can be used in Chrome or Firefox to track visitors without using cookies. Using HPKP disguised as certificate, you can bind an arbitrary identified which will be unique for each visitor. Later, this binding can be used to reliably determine the re-visit of the site by user in a similar way as the cookie used for identification. The feature of this is that the binding is maintained regardless of removing cookie and removal of HPKP records is not obvious, since you have to access the inside page (chrome://net-internals/#hpkp) for a particular domain (there is no possibility to see the list of domains with bind hpkp).