An academic paper published last month has shed new light on a new user tracking technique that takes advantage of a legitimate mechanism associated with the TLS (Transport Layer Security) protocol -the backbone of modern HTTPS connections.
The abused TLS mechanism is called TLS Session Resumption (RFC 8447), a mechanism that was created in the mid-2000s to allow TLS servers to remember past user sessions and avoid wasting server resources by re-negotiating a TLS connection with a returning user.
There are currently three different ways that servers can opt to use and support TLS Session Resumption. There's TLS Session Resumption via session IDs, there's TLS Session Resumption via session tickets, and there's TLS Session Resumption via pre-shared keys (PSKs).
The first two are compatible with the older TLS 1.2 protocol, while the third mechanism was developed for the newer and recently-approved TLS 1.3 standard. In all three cases, server owners have the liberty to set the lifespan the server remembers a user session.
In a research paper published at the start of September, four researchers from the University of Hamburg, Germany, have revealed that online advertising firms can abuse the TLS Session Resumption mechanism to track users as they navigate the web.
The concept is simple. If an online advertising firm loads ads via a TLS (HTTPS) server, then it can enable TLS Session Resumption for that server.
When a user access Website A showing ads from the advertising firm, it also establishes a TLS session with the advertising firm's server. When the user visits Website B with ads from the same firm, instead of negotiating another TLS session, the user resumes the existing one, allowing the advertising firm to track the user as he moves across sites.
The research team says it tested how both websites and browsers deal with TLS Session Resumption settings.
A review of 45 desktop and mobile browsers revealed that tracking users is possible on 38 browsers.
Three of the seven browsers didn't support TLS Session Resumption, to begin with --Tor Browser (desktop), JonDoBrowser (desktop), and Orbot (Android).
The other four browsers came with default configurations that blocked TLS Session Resumption tracking via third-party domains, although they supported TLS Session Resumption for the main domain (the website being accessed) --360 Security Browser (desktop), Konqueror (desktop), Microsoft Edge (desktop), and Sleipnir (desktop).
"Our results show, that third-party tracking via TLS session resumption is feasible for the large majority of investigated popular browsers. However, our results [...] indicate the session resumption lifetime is limited within the majority of investigated browsers," researchers said. By limited, the research team is referring to the fact that the vast majority of browsers clear TLS session information after an hour.
Researchers believe that browser makers aren't aware of this possible user tracking technique, otherwise, they would feature shorter TLS session resumption times.
As in regards to who's using TLS Session Resumption tracking, researchers were not in a position to give a conclusive answer, but they did point out that both Google and Facebook, two of the world's largest advertising firms, used abnormally large TLS Session Resumption lifespans of 28 hours and 48 hours, respectively.
Researchers found that 80% of the Alexa Top 1 Million sites who used TLS employed a TLS Session Resumption lifespan of 10 minutes or smaller.
All in all, tracking via TLS Session Resumption identifiers doesn't appear to be a widespread practice, but this might also be because that TLS adoption has only recently gone up among internet users.
As TLS becomes a more accessible technology for running websites, advertising firms are also expected to explore and even implement this technique in the future, if they're not doing so already.
To prevent this technique from becoming a mainstream tracking method, the German research team recommends that browser vendors disable TLS Session Resumption for third-party domains, and only allow it for the main domain, the one accessed through the browser directly. This way, ads delivered via HTTPS will have to negotiate a unique TLS session every time they're loaded inside a user's browser, regardless of the domain they're shown on.
More technical details are available in the research team's white paper, entitled "Tracking Users across the Web via TLS Session Resumption," available for download from here or here.