Tracking Users across the Web via TLS Session Resumption

TL;DR

This paper investigates how TLS session resumption can be exploited for user tracking, revealing that many browsers allow tracking for days or even permanently, especially with prolonged session lifetimes.

Contribution

First analysis of TLS session resumption as a user tracking method, including a novel prolongation attack and extensive evaluation of browser configurations and website data.

Findings

Average user can be tracked for up to eight days.

65% of users can be tracked permanently with a 7-day session lifetime.

Prolongation attack extends tracking beyond session limits.

Abstract

User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.