skip to main content
10.1145/3274694.3274708acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Tracking Users across the Web via TLS Session Resumption

Published: 03 December 2018 Publication History
  • Get Citation Alerts
  • Abstract

    User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.

    References

    [1]
    Z. Durumeric, E. Wustrow, and J A. Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, Vol. 8. 47--53.
    [2]
    S. Englehardt and A. Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388--1401.
    [3]
    P. Eronen, H. Tschofenig, H. Zhou, and J. A. Salowey. 2008. Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077. (Jan. 2008).
    [4]
    A. Gómez-Boix, P. Laperdrix, and B. Baudry. 2018. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In WWW 2018: The 2018 Web Conference.
    [5]
    D. Herrmann, C. Banse, and H. Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security 39 (2013), 17--33.
    [6]
    D. Herrmann, M. Kirchler, J. Lindemann, and M. Kloft. 2016. Behavior-based tracking of Internet users with semi-supervised learning. In Privacy, Security and Trust (PST), 2016 14th Annual Conference on. IEEE, 596--599.
    [7]
    M. Husák, M. Čermák, T. Jirsík, and P. Čeleda. 2016. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP Journal on Information Security 2016, 1 (2016), 6.
    [8]
    Apple Inc. 2018. App Store Review Guidelines. (2018). Retrieved May 15, 2018 from https://developer.apple.com/app-store/review/guidelines/
    [9]
    Alexa Internet Inc. 2018. Alexa Top 1,000,000 Sites. (2018). Retrieved March 15, 2018 from http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
    [10]
    A. Janc and M. Zalewski. 2014. Technical analysis of client identification mechanisms. (2014). Retrieved March 15, 2018 from https://www.chromium.org/Home/chromium-security/client-identification-mechanisms
    [11]
    M. Kirchler, D. Herrmann, J. Lindemann, and M. Kloft. 2016. Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 23--34.
    [12]
    P. Laperdrix, W.Rudametkin, and B.Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 878--894.
    [13]
    SimilarWeb LTD. 2018. Top Websites Ranking. (2018). Retrieved May 5, 2018 from https://www.similarweb.com/top-websites
    [14]
    NetMarketShare. 2018. Browser Market Share. (2018). Retrieved March 15, 2018 from https://netmarketshare.com/browser-market-share.aspx
    [15]
    P. Papadopoulos, N. Kourtellis, and E. P. Markatos. 2018. Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. arXiv preprint arXiv:1805.10505 (2018).
    [16]
    J.Papenbrock. 2018. Aktuelle Marktanteile der Browser. (2018). Retrieved March 15, 2018 from https://www.browser-statistik.de/statistiken/
    [17]
    M. Perry. 2012. Disable TLS Session resumption and Session IDs. (2012). Retrieved March 15, 2018 from https://trac.torproject.org/projects/tor/ticket/4099
    [18]
    The OpenSSL Project. 2018. OpenSSL Cryptography and SSL/TLS Toolkit. (2018). Retrieved March 15, 2018 from https://www.openssl.org/
    [19]
    Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft TLS13. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-28 Work in Progress.
    [20]
    E. Rescorla and T. Dierks. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. (Aug. 2008).
    [21]
    D. Springall, Z. Durumeric, and J A. Halderman. 2016. Measuring the security harm of TLS crypto shortcuts. In Proceedings of the 2016 Internet Measurement Conference. ACM, 33--47.
    [22]
    StatCounter. 2018. Browser Market Share Worldwide. (2018). Retrieved March 15, 2018 from http://gs.statcounter.com/browser-market-share
    [23]
    StatCounter. 2018. Desktop vs Mobile vs Tablet Market Share Worldwide. (2018). Retrieved March 15, 2018 from gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide
    [24]
    M. Wachs, Q. Scheitle, and G. Carle. 2017. Push away your privacy: Precise user tracking based on TLS client certificate authentication. In Network Traffic Measurement and Analysis Conference (TMA), 2017. IEEE, 1--9.

    Cited By

    View all
    • (2024)Yuz: Improving Performance of Cluster-Based Services by Near-L4 Session-Persistent Load BalancingIEEE Transactions on Network and Service Management10.1109/TNSM.2023.334196421:2(1929-1942)Online publication date: Apr-2024
    • (2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
    • (2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517416(784-798)Online publication date: 30-May-2022
    • Show More Cited By

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference
    December 2018
    766 pages
    ISBN:9781450365697
    DOI:10.1145/3274694
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    In-Cooperation

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 December 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Browser Measurement
    2. PSK Identity
    3. Session IDs
    4. Session Tickets
    5. Tracking Period

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ACSAC '18

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)39
    • Downloads (Last 6 weeks)2

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Yuz: Improving Performance of Cluster-Based Services by Near-L4 Session-Persistent Load BalancingIEEE Transactions on Network and Service Management10.1109/TNSM.2023.334196421:2(1929-1942)Online publication date: Apr-2024
    • (2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
    • (2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517416(784-798)Online publication date: 30-May-2022
    • (2022)Puncturable Key Wrapping and Its ApplicationsAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22966-4_22(651-681)Online publication date: 5-Dec-2022
    • (2021)OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile BrowsersProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00122022:1(227-252)Online publication date: 20-Nov-2021
    • (2021)REDACTACM SIGCOMM Computer Communication Review10.1145/3503954.350395751:4(15-22)Online publication date: 3-Dec-2021
    • (2021)Enhanced Performance and Privacy via Resolver-Less DNS2021 International Conference on Information Networking (ICOIN)10.1109/ICOIN50884.2021.9334030(243-248)Online publication date: 13-Jan-2021
    • (2021)A Study of Device Fingerprinting MethodsProceedings of International Conference on Computational Intelligence, Data Science and Cloud Computing10.1007/978-981-33-4968-1_55(705-719)Online publication date: 6-Apr-2021
    • (2021)More Efficient Post-quantum KEMTLS with Pre-distributed Public KeysComputer Security – ESORICS 202110.1007/978-3-030-88418-5_1(3-22)Online publication date: 30-Sep-2021
    • (2020)Enhanced Performance and Privacy for TLS over TCP Fast OpenProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00272020:2(271-287)Online publication date: 8-May-2020
    • Show More Cited By

    View Options

    Get Access

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media