steven36 Posted October 22, 2018 Share Posted October 22, 2018 A new web security paper via ArXiv has revealed details about a little known TLS tracking technique that companies can use to track users across the web. TLS Tracking Across the Web Most users know that they can be tracked via cookies, which is why some delete them or use their browsers’ own “private modes,” which don’t store session cookies. However, over the past few years, due to browsers continuing to implement advanced new features, new tracking capabilities have appeared, such as browser fingerprinting and now TLS tracking too. When a TLS connection is made between the user’s computer and the visited website’s server, some encryption-related information is exchanged, which can be reused the next time the same visitor comes to the site. Because this information is unique to that user, the service provider or a third-party tracker can recognize and then track the user across the web. The Hamburg University researchers also revealed that the default lifetime for TLS session resumption in most browsers is up to eight days. What this means in practice is that two-thirds of the internet users can be tracked permanently through these TLS sessions. The danger is associated mostly with third-party trackers, such as Google, that interact with users via many host names. The researchers noted that Google’s tracking service is present on 80 percent of the sites on Alexa's top one million sites list. The researchers also warned that in the case of 0-RTT (zero-round trip) resumptions when using TLS 1.3, forward secrecy can not be supported, thus also reducing the communications security. Countermeasures Against TLS Tracking The best way to fight against this form of TLS tracking is to pressure browsers to disable it completely (especially for third-party tracking services) or at least allow users to disable it manually. The Tor browser is one of the browsers that disables TLS tracking by default. Based on the empirical evidence the researchers have gathered, they recommended that the TLS session resumption lifetime should be at most 10 minutes, not seven days as it’s currently recommended for the latest version of TLS (1.3). Workaround for Firefox Credits to: audiospecaccts Quote about:config devtools.remote.tls-handshake-timeout 60 network.http.spdy.enforce-tls-profile false network.proxy.proxy_over_tls false security.webauth.u2f false security.webauth.webauthn false security.tls.version.min 3 right click and add the boolean key: security.ssl.disable_session_identifiers true The reason you must add security.ssl.disable_session_identifiers see here https://bugzilla.mozilla.org/show_bug.cgi?id=967977#c17 Source Link to comment Share on other sites More sharing options...
mp68terr Posted October 22, 2018 Share Posted October 22, 2018 Just added the 'Countermeasures Against TLS Tracking' in palemoon user.js file! Link to comment Share on other sites More sharing options...
plb4333 Posted October 23, 2018 Share Posted October 23, 2018 Did the About:config settings in Firefox as well. Great info to know about..Very thankful Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.