Most Browsers Allow Permanent User Tracking via TLS Sessions

(Image credit: Shutterstock)

A new web security paper via ArXiv has revealed details about a little known TLS tracking technique that companies can use to track users across the web.

TLS Tracking Across the Web

Most users know that they can be tracked via cookies, which is why some delete them or use their browsers’ own “private modes,” which don’t store session cookies. However, over the past few years, due to browsers continuing to implement advanced new features, new tracking capabilities have appeared, such as browser fingerprinting and now TLS tracking too.

When a TLS connection is made between the user’s computer and the visited website’s server, some encryption-related information is exchanged, which can be reused the next time the same visitor comes to the site. Because this information is unique to that user, the service provider or a third-party tracker can recognize and then track the user across the web.

The Hamburg University researchers also revealed that the default lifetime for TLS session resumption in most browsers is up to eight days. What this means in practice is that two-thirds of the internet users can be tracked permanently through these TLS sessions.

The danger is associated mostly with third-party trackers, such as Google, that interact with users via many host names. The researchers noted that Google’s tracking service is present on 80 percent of the sites on Alexa's top one million sites list.

The researchers also warned that in the case of 0-RTT (zero-round trip) resumptions when using TLS 1.3, forward secrecy can not be supported, thus also reducing the communications security.

Countermeasures Against TLS Tracking

The best way to fight against this form of TLS tracking is to pressure browsers to disable it completely (especially for third-party tracking services) or at least allow users to disable it manually. The Tor browser is one of the browsers that disables TLS tracking by default.

Based on the empirical evidence the researchers have gathered, they recommended that the TLS session resumption lifetime should be at most 10 minutes, not seven days as it’s currently recommended for the latest version of TLS (1.3).

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hannibal
    So Great... you can have add block anonymous mode and so on and stlll be followed by allmost everybody... wellcome to 1984 orwell
    Reply
  • audiospecaccts
    Ok, so in firefox's about:config
    devtools.remote.tls-handshake-timeout 60
    network.http.spdy.enforce-tls-profile false
    network.proxy.proxy_over_tls false
    security.webauth.u2f false
    security.webauth.webauthn false
    security.tls.version.min 3

    right click and add the boolean key:

    security.ssl.disable_session_identifiers true


    you might get a little bit of pause, but that's because we denied the remote data mining server access :P
    Reply
  • Stephen_144
    Anyone know the steps to lower the session resumption lifetime value to 10 mins on a Chrome web browser on Windows 10 64bit build 1809?
    Reply
  • cumbrespass
    For AUDIOSPECACCTS: Thanks for the info, but I don't see where " firefox's about:config" resides? How about a clue, please?
    Reply
  • nobodynowhere
    cumbrepass: Firefox - Address Bar - Type in: ABOUT:CONFIG and hit ENTER --It will take you to the configuration page. It appears audios is suggesting changes to each line listed, and adding one. The page is in alpha. order, so each line easy to find - just scroll down the page using the leftmost words in each line til u match all words in the line. To change a value, right click on line and u will see the menu choices.
    Reply
  • Olle P
    21420233 said:
    Ok, so in firefox's ...
    Thank you! :love:
    I noticed the default setting was to keep the key for 100k seconds (~28h).

    Reply
  • audiospecaccts
    21424562 said:
    For AUDIOSPECACCTS: Thanks for the info, but I don't see where " firefox's about:config" resides? How about a clue, please?

    type:

    about:config

    in the url bar.

    Then you will get the registry warning page for firefox , click the button "I accept the risk"
    Reply
  • audiospecaccts
    also, you should disable web rtc ip signaler in about:config by setting :

    media.peerconnection.enabled false

    so no ip leaks from the guys that have modified web rtc and using it to get others ip from a non-web server when they are on the same site (like amaszon.com for instance).
    Reply
  • audiospecaccts
    21425433 said:
    21420233 said:
    Ok, so in firefox's ...
    Thank you! :love:
    I noticed the default setting was to keep the key for 100k seconds (~28h).

    I know, isn't that a crazy number the set for the default!
    ;)
    Reply
  • audiospecaccts
    21422069 said:
    Anyone know the steps to lower the session resumption lifetime value to 10 mins on a Chrome web browser on Windows 10 64bit build 1809?

    in windows 10 + chrome you will need to do both chrome and intenet explorer's settings because of the session leak they have currently.
    Reply