TLS (SSL in an earlier incarnation) should be widely familiar as the cryptographic protocol used to keep web communication protected as it travels between client and server. The latest version is 1.3.
Establishing a TLS connection, say, when visiting a HTTPS website, involves some back-and-forth negotiation over the network. So it makes sense to have a way to resume previously a established session with less ritual: TLS session resumption.
The techniques for doing so vary between TLS 1.3 and older versions of the spec – 0-RTT/1-RTT (round-trip time) via pre-shared keys (PSK) represents the latest mechanism while the legacy approach involves sessions IDs and session tickets.
Fine distinctions aside, these techniques are a bit like getting one’s hand stamped at some event in order to leave and then return without paying the cost of entry a second time. Well, not really. But let’s just leave it at that to avoid a discussion of TLS handshake arcana.
The point is that session resumption relies on the identifier passed to the client device during the initial handshake. And because this identifier – session ID, session ticket or PSK identity – persists in the browser’s TLS cache, it can be tracked like any other digital identifier.
This is less of an issue for browsers running on desktop computers, provided the user restarts the browser every so often. But the researchers observe that mobile devices may go days or even weeks (given recharge time) without a browser restart.
Session resumption identifiers have varying expiration times. Servers can provide a non-binding ticket_lifetime_hint
field specifying the identifier’s lifetime in seconds as a 32-bit unsigned integer. That could allow a lifetime of about 68 years. However, TLS 1.2 and TLS 1.3 call for more restricted ticket lifetimes, 24 hours and 7 days respectively.
Sy, Federrath, Burkert, and Fischer found that 80 per cent of the TLS session ticket-enabled websites among the Alexa Top Million set lifetime hints of ten minutes or less. About 10 per cent of the remainder set lifetime hints of at least 24 hours.
They note that Facebook and Google, due to their behavioral ad businesses, specify longer session resumption ticket lifetimes than most. Facebook’s lifetime hint setting of 48 hours is higher than 99.99 per cent of all session ticket hints found. Google’s 28 hour value exceeds 97.13 per cent of Alexa’s top million websites.