Protect against TLS session resumption tracking #2164
Labels
Comments
ghostwords
added
the
privacy
|
Article on The Register about the same issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As described in this paper (also here), the TLS session resumption feature can be used for third-party tracking . When you connect to a domain over TLS, your browser creates a session ticket (or ID) with an expiration time -- in Firefox, 1 day by default. If you connect to the same domain again before the ticket expires, your browser will send that ticket instead of going through the normal TLS handshake, allowing the server to tie your request to your previous visits, no cookies required.
Tor Browser turned this off by default a long time ago: https://trac.torproject.org/projects/tor/ticket/4099
Firefox also has a (secret) option to turn this off, see https://bugzilla.mozilla.org/show_bug.cgi?id=967977. I think we should have Privacy Badger disable it by default.
Afaik Chrome doesn't let the user control this. Chrome's default expiration time is 30 mins for session IDs / 1 hour for tickets, so there's less of a risk of multisession tracking, but it would still be nice to be able to turn it off altogether. The most relevant Chromium ticket I could find is here -- it might be worth opening a new one there.
The text was updated successfully, but these errors were encountered: