Avast WEBforum

Avast Products => Avast Secure Browser => Topic started by: polonus on October 21, 2018, 12:33:03 PM

Title: What to do against TLS Session Resumption & Session IDs?
Post by: polonus on October 21, 2018, 12:33:03 PM
TLS Session Resumption provides an ideal way to quirk privacy in the browser by big data slupers like facebook etc.
Read: https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

Problem especially with android browsers as sessions can stay open for quite some time.
So take your privacy delicate searches back to the old desktop browser,
with a browser you can close and cleanse ever so offten.

Some finds methods to disable this: https://trac.torproject.org/projects/tor/ticket/4099
See how constant tracking and monitoring by Big Commerce & Big Guv
threatens the last vestiges of your privacy by scanning here:
http://ip-check.info/index.php?lang=en

My question what is the best way to make it a little bit harder for Big Slurper to abuse TLS in this way?
This while I know on the other hand, that this is an ongoing  cat and mouse game between the tracking and those being tracked,
(us) where trackers will always look for new ways to track even going so far as abusing a security protocol for their ends
as they do in this case of TLS Session Resumption and Session ID tracking.

Anyone with ideas?

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

N.B. Also good to read: https://www.w3.org/wiki/images/7/7d/Is_preventing_browser_fingerprinting_a_lost_cause.pdf
                           and  https://hovav.net/ucsd/papers/mbys11.html  (Hovav Schacham &Al.)

Damian
Title: Re: What to do against TLS Session Resumption & Session IDs?
Post by: alanb on October 21, 2018, 02:51:52 PM
If you are fortunate enough to be a Firefox user, in about:config simply set

'security.ssl.disable_session_identifiers'  to 'true'  :D