Annual Computer Security Applications Conference (ACSAC) 2018

Full Program »

Tracking Users across the Web via TLS Session Resumption

User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolon- gation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, even 65% of all users in our dataset can be tracked permanently.

Erik Sy
University of Hamburg
Germany

Christian Burkert
University of Hamburg
Germany

Hannes Federrath
University of Hamburg
Germany

Mathias Fischer
University of Hamburg
Germany

 



Powered by OpenConf®
Copyright©2002-2018 Zakon Group LLC