Researcher: websites can track you through the TLS protocol without relying on cookies

Do you think that disabling browser cookies can avoid being tracked by websites? The idea of advocating the return of cookie tracking options to users may be just smoke bombs, and still, follow users with the latest TLS 1.3 transport layer security protocol.

Currently, the means of tracking users on the website is still popular with cookies or by web browser features. The less popular technology is user tracking based on Transport Layer Security (TLS), especially using TLS. The TLS Session Resumption mechanism and the University of Hamburg researchers took the lead in studying the applicability of the TLS session recovery mechanism.

Companies such as Facebook and Google have used HTTP cookies, and web browser features to track users in the past, but as users increasingly pay attention to protecting their privacy, more people are starting to use privacy-enhanced browsers for confidentiality. Patterns or extensions to limit web page tracking make these two technologies almost unsuccessful. Also, tracking users through IP locations is also limited because users may share public IP addresses with NAT, and websites cannot cross different network tracking devices.

The site began to focus on the latest TLS 1.3 protocol, and their tracking technology began to shift to using the TLS session recovery mechanism. The TLS session recovery mechanism allows websites to use the keys exchanged in earlier TLS conversations to reduce the TLS handshake, which also opens up the possibility of enabling sites to link two conversations. Since restarting the browser will clear the cache, by the way, this method can resume continuous user tracking through the TLS session only if the browser is not restarted. But this usage habit is entirely different on mobile devices, and mobile device users rarely restart the browser.

Researchers at the University of Hamburg systematically studied the configuration of 48 popular browsers and Alexa’s top million popular websites to assess the actual configuration of these tracking mechanisms and the user tracking sustainability time. The researchers used Prolongation Attack to extend the tracking period to exceed the lifecycle of TLS session recovery, then analyse the impact of the extended attack on the tracking time and the percentage of users that can be permanently tracked based on additional DNS data, and ultimately derive the user’s browsing behaviour.

Studies have shown that even if the standard browser sets the TLS session recovery lifecycle to only one day, users can still be tracked for up to 8 days, and the TLS 1.3 draft version suggests a TLS session recovery lifecycle of 7 days, the researchers pass Alexa At least one site in the dataset can permanently track 65% of users in the experiment.

The researchers also observed that more than 80% of Alexa’s top million popular sites have a recovery lifecycle of fewer than 10 minutes, but about 10% of sites use a cycle setting greater than 24 hours, especially for advertisers— — Google’s TLS conversation has a lifespan of 28 hours, and the Facebook conversation recovery lifecycle is set to 48 hours, above the 99.99 percentile in Alexa’s top million popular sites.

Researchers at the University of Hamburg pointed out that to prevent websites from recovering users through TLS conversations, you need to modify the TLS standard and the configuration of standard browsers. The most effective way is to disable TLS session recovery completely.