Author Topic: What to do against TLS Session Resumption & Session IDs?  (Read 1680 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
What to do against TLS Session Resumption & Session IDs?
« on: October 21, 2018, 12:33:03 PM »
TLS Session Resumption provides an ideal way to quirk privacy in the browser by big data slupers like facebook etc.
Read: https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

Problem especially with android browsers as sessions can stay open for quite some time.
So take your privacy delicate searches back to the old desktop browser,
with a browser you can close and cleanse ever so offten.

Some finds methods to disable this: https://trac.torproject.org/projects/tor/ticket/4099
See how constant tracking and monitoring by Big Commerce & Big Guv
threatens the last vestiges of your privacy by scanning here:
http://ip-check.info/index.php?lang=en

My question what is the best way to make it a little bit harder for Big Slurper to abuse TLS in this way?
This while I know on the other hand, that this is an ongoing  cat and mouse game between the tracking and those being tracked,
(us) where trackers will always look for new ways to track even going so far as abusing a security protocol for their ends
as they do in this case of TLS Session Resumption and Session ID tracking.

Anyone with ideas?

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

N.B. Also good to read: https://www.w3.org/wiki/images/7/7d/Is_preventing_browser_fingerprinting_a_lost_cause.pdf
                           and  https://hovav.net/ucsd/papers/mbys11.html  (Hovav Schacham &Al.)

Damian
« Last Edit: October 21, 2018, 12:55:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline alanb

  • Poster
  • *
  • Posts: 652
Re: What to do against TLS Session Resumption & Session IDs?
« Reply #1 on: October 21, 2018, 02:51:52 PM »
If you are fortunate enough to be a Firefox user, in about:config simply set

'security.ssl.disable_session_identifiers'  to 'true:D