A new web security paper via ArXiv has revealed details about a little
known TLS tracking technique that companies can use to track users
across the web.
TLS Tracking Across the Web
Most users know that they can be tracked via cookies, which is why some
delete them or use their browsers’ own “private modes,” which don’t
store session cookies. However, over the past few years, due to browsers
continuing to implement advanced new features, new tracking
capabilities have appeared, such as browser fingerprinting and now TLS
tracking too.
When a TLS connection is made between the user’s computer and the
visited website’s server, some encryption-related information is
exchanged, which can be reused the next time the same visitor comes to
the site. Because this information is unique to that user, the service
provider or a third-party tracker can recognize and then track the user
across the web.
The Hamburg University researchers also revealed that the default
lifetime for TLS session resumption in most browsers is up to eight
days. What this means in practice is that two-thirds of the internet
users can be tracked permanently through these TLS sessions.
The danger is associated mostly with third-party trackers, such as
Google, that interact with users via many host names. The researchers
noted that Google’s tracking service is present on 80 percent of the
sites on Alexa's top one million sites list.
The researchers also warned that in the case of 0-RTT (zero-round trip)
resumptions when using TLS 1.3, forward secrecy can not be supported,
thus also reducing the communications security.
Countermeasures Against TLS Tracking
The best way to fight against this form of TLS tracking is to pressure
browsers to disable it completely (especially for third-party tracking
services) or at least allow users to disable it manually. The Tor
browser is one of the browsers that disables TLS tracking by default.
Based on the empirical evidence the researchers have gathered, they
recommended that the TLS session resumption lifetime should be at most
10 minutes, not seven days as it’s currently recommended for the latest
version of TLS (1.3).
Lucian Armasu
https://www.geezgo.com/sps/43652
Join Geezgo for free. Use Geezgo's end-to-end encrypted Chat with your Closenets (friends, relatives, colleague etc) in personalized ways.>>
Comments
Post a Comment