HTTPS isn’t as great as you think, TLS can expose someone’s web privacy


Analysis Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online.

Privacy advocates have long warned about the risks posed by various forms of web tracking. These include cookies, web beacons, and too many forms of fingerprinting to name.

Awareness of the issue has helped a bit. Apple recently rolled out improved tracking protection in Safari for macOS Mojave and iOS 12. Firefox earlier this year debuted an anti-tracking add-on called Facebook Container, among other improvements. And browsers like Brave and Tor Browser continue to offer more extensive privacy capabilities.

The privacy risks associated with web tracking, however, persist, and now it appears there’s yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

In a paper distributed through ArXiv this week, computer science boffins Erik Sy, Hannes Federrath, Christian Burkert, and Mathias Fischer describe a novel tracking technique involving Transport Layer Security (TLS) session resumption.

Tricky negotiations

TLS (SSL in an earlier incarnation) should be widely familiar as the cryptographic protocol used to keep web communication protected as it travels between client and server. The latest version is 1.3.

Establishing a TLS connection, say, when visiting a HTTPS website, involves some back-and-forth negotiation over the network. So it makes sense to have a way to resume previously a established session with less ritual: TLS session resumption.

The techniques for doing so vary between TLS 1.3 and older versions of the spec – 0-RTT/1-RTT (round-trip time) via pre-shared keys (PSK) represents the latest mechanism while the legacy approach involves sessions IDs and session tickets.

Fine distinctions aside, these techniques are a bit like getting one’s hand stamped at some event in order to leave and then return without paying the cost of entry a second time. Well, not really. But let’s just leave it at that to avoid a discussion of TLS handshake arcana.

The point is that session resumption relies on the identifier passed to the client device during the initial handshake. And because this identifier – session ID, session ticket or PSK identity – persists in the browser’s TLS cache, it can be tracked like any other digital identifier.

This is less of an issue for browsers running on desktop computers, provided the user restarts the browser every so often. But the researchers observe that mobile devices may go days or even weeks (given recharge time) without a browser restart.

Session resumption identifiers have varying expiration times. Servers can provide a non-binding ticket_lifetime_hint field specifying the identifier’s lifetime in seconds as a 32-bit unsigned integer. That could allow a lifetime of about 68 years. However, TLS 1.2 and TLS 1.3 call for more restricted ticket lifetimes, 24 hours and 7 days respectively.

It could be worse but still isn’t good

Sy, Federrath, Burkert, and Fischer found that 80 per cent of the TLS session ticket-enabled websites among the Alexa Top Million set lifetime hints of ten minutes or less. About 10 per cent of the remainder set lifetime hints of at least 24 hours.

They note that Facebook and Google, due to their behavioral ad businesses, specify longer session resumption ticket lifetimes than most. Facebook’s lifetime hint setting of 48 hours is higher than 99.99 per cent of all session ticket hints found. Google’s 28 hour value exceeds 97.13 per cent of Alexa’s top million websites.