You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As described in this paper (also here), the TLS session resumption feature can be used for third-party tracking . When you connect to a domain over TLS, your browser creates a session ticket (or ID) with an expiration time -- in Firefox, 1 day by default. If you connect to the same domain again before the ticket expires, your browser will send that ticket instead of going through the normal TLS handshake, allowing the server to tie your request to your previous visits, no cookies required.
Afaik Chrome doesn't let the user control this. Chrome's default expiration time is 30 mins for session IDs / 1 hour for tickets, so there's less of a risk of multisession tracking, but it would still be nice to be able to turn it off altogether. The most relevant Chromium ticket I could find is here -- it might be worth opening a new one there.
The text was updated successfully, but these errors were encountered:
As described in this paper (also here), the TLS session resumption feature can be used for third-party tracking . When you connect to a domain over TLS, your browser creates a session ticket (or ID) with an expiration time -- in Firefox, 1 day by default. If you connect to the same domain again before the ticket expires, your browser will send that ticket instead of going through the normal TLS handshake, allowing the server to tie your request to your previous visits, no cookies required.
Tor Browser turned this off by default a long time ago: https://trac.torproject.org/projects/tor/ticket/4099
Firefox also has a (secret) option to turn this off, see https://bugzilla.mozilla.org/show_bug.cgi?id=967977. I think we should have Privacy Badger disable it by default.
Afaik Chrome doesn't let the user control this. Chrome's default expiration time is 30 mins for session IDs / 1 hour for tickets, so there's less of a risk of multisession tracking, but it would still be nice to be able to turn it off altogether. The most relevant Chromium ticket I could find is here -- it might be worth opening a new one there.
The text was updated successfully, but these errors were encountered: