# Enhanced Performance and Privacy for TLS over TCP Fast Open

**Authors:** Erik Sy, Tobias Mueller, Christian Burkert, Hannes Federrath, Mathias, Fischer

arXiv: 1905.03518 · 2019-11-13

## TL;DR

This paper analyzes TCP Fast Open's performance and privacy issues, revealing deployment challenges and proposing TCP FOP, a new protocol that enhances privacy while maintaining low latency, with successful Linux implementation.

## Contribution

It introduces TCP FOP, a novel protocol that improves privacy in TCP Fast Open without sacrificing its low-latency benefits, supported by Linux kernel and TLS library implementation.

## Key findings

- 40% of first-time revisits fail to use TFO due to load balancing
- TCP FOP prevents user tracking by network attackers
- TCP FOP outperforms TFO in multi-IP website scenarios

## Abstract

Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost of privacy limitations and also has some performance limitations. In this paper, we investigate the TFP deployment on popular websites and browsers. We found that a client revisiting a web site for the first time fails to use an abbreviated TFO handshake in 40% of all cases due to web server load-balancing using multiple IP addresses. Our analysis further reveals significant privacy problems of the protocol design and implementation. Network-based attackers and online trackers can exploit TFO to track the online activities of users. As a countermeasure, we introduce a novel protocol called TCP Fast Open Privacy (FOP). TCP FOP prevents tracking by network attackers and impedes third-party tracking, while still allowing 0-RTT handshakes as in TFO. As a proof-of-concept, we have implemented the proposed protocol for the Linux kernel and a TLS library. Our measurements indicate that TCP FOP outperforms TLS over TFO when websites are served from multiple IP addresses.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.03518/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/1905.03518/full.md

## References

33 references — full list in the complete paper: https://tomesphere.com/paper/1905.03518/full.md

---
Source: https://tomesphere.com/paper/1905.03518