This page demonstrates how TLS can be abused to track users employing HTTP Strict Transport Security (HSTS).
This website uses a large number of subdomains named bXXX.tls-tracking.sauerburger.com where X represents an arbitrary digit. The subdomains can be accessed via HTTP or HTTPS. If the browser requests the secure connection, the server sets the HSTS policy. This means that the server tells the browser to remember that this subdomain should be accessed only via HTTPS (not HTTP) in the future (usually for one year). If the user enters the HTTP version, the browser automatically rewrites the request from HTTP to HTTPS.
Every subdomain represents a single bit. It is either accessed via HTTP or HTTPS. An arbitrary binary identifier can be encoded by accessing the HTTPS version of the subdomains for those bits that are 1. In the future, the same HTTP/HTTPS pattern for all subdomains makes it possible to retrieve and decode the identifier.
This page lets you encode an arbitrary string into the HSTS storage of your browser. To delete the HSTS storage and thus the string, you need to clear (recent) browsing history.
See my post about this technique and the development repository for this live demonstration.