research-article

Tracking Users across the Web via TLS Session Resumption

Authors:

Christian Burkert,

Hannes Federrath, and

Mathias FischerAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

Pages 289 - 299

https://doi.org/10.1145/3274694.3274708

Published: 03 December 2018 Publication History

Abstract

User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.

References

[1]

Z. Durumeric, E. Wustrow, and J A. Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, Vol. 8. 47--53.

Digital Library

[2]

S. Englehardt and A. Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388--1401.

Digital Library

[3]

P. Eronen, H. Tschofenig, H. Zhou, and J. A. Salowey. 2008. Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077. (Jan. 2008).

[4]

A. Gómez-Boix, P. Laperdrix, and B. Baudry. 2018. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In WWW 2018: The 2018 Web Conference.

Digital Library

[5]

D. Herrmann, C. Banse, and H. Federrath. 2013. Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security 39 (2013), 17--33.

Digital Library

[6]

D. Herrmann, M. Kirchler, J. Lindemann, and M. Kloft. 2016. Behavior-based tracking of Internet users with semi-supervised learning. In Privacy, Security and Trust (PST), 2016 14th Annual Conference on. IEEE, 596--599.

[7]

M. Husák, M. Čermák, T. Jirsík, and P. Čeleda. 2016. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP Journal on Information Security 2016, 1 (2016), 6.

Digital Library

[8]

Apple Inc. 2018. App Store Review Guidelines. (2018). Retrieved May 15, 2018 from https://developer.apple.com/app-store/review/guidelines/

[9]

Alexa Internet Inc. 2018. Alexa Top 1,000,000 Sites. (2018). Retrieved March 15, 2018 from http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

[10]

A. Janc and M. Zalewski. 2014. Technical analysis of client identification mechanisms. (2014). Retrieved March 15, 2018 from https://www.chromium.org/Home/chromium-security/client-identification-mechanisms

[11]

M. Kirchler, D. Herrmann, J. Lindemann, and M. Kloft. 2016. Tracked without a trace: linking sessions of users by unsupervised learning of patterns in their DNS traffic. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. ACM, 23--34.

Digital Library

[12]

P. Laperdrix, W.Rudametkin, and B.Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 878--894.

[13]

SimilarWeb LTD. 2018. Top Websites Ranking. (2018). Retrieved May 5, 2018 from https://www.similarweb.com/top-websites

[14]

NetMarketShare. 2018. Browser Market Share. (2018). Retrieved March 15, 2018 from https://netmarketshare.com/browser-market-share.aspx

[15]

P. Papadopoulos, N. Kourtellis, and E. P. Markatos. 2018. Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. arXiv preprint arXiv:1805.10505 (2018).

[16]

J.Papenbrock. 2018. Aktuelle Marktanteile der Browser. (2018). Retrieved March 15, 2018 from https://www.browser-statistik.de/statistiken/

[17]

M. Perry. 2012. Disable TLS Session resumption and Session IDs. (2012). Retrieved March 15, 2018 from https://trac.torproject.org/projects/tor/ticket/4099

[18]

The OpenSSL Project. 2018. OpenSSL Cryptography and SSL/TLS Toolkit. (2018). Retrieved March 15, 2018 from https://www.openssl.org/

[19]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft TLS13. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-28 Work in Progress.

[20]

E. Rescorla and T. Dierks. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. (Aug. 2008).

[21]

D. Springall, Z. Durumeric, and J A. Halderman. 2016. Measuring the security harm of TLS crypto shortcuts. In Proceedings of the 2016 Internet Measurement Conference. ACM, 33--47.

Digital Library

[22]

StatCounter. 2018. Browser Market Share Worldwide. (2018). Retrieved March 15, 2018 from http://gs.statcounter.com/browser-market-share

[23]

StatCounter. 2018. Desktop vs Mobile vs Tablet Market Share Worldwide. (2018). Retrieved March 15, 2018 from gs.statcounter.com/platform-market-share/desktop-mobile-tablet/worldwide

[24]

M. Wachs, Q. Scheitle, and G. Carle. 2017. Push away your privacy: Precise user tracking based on TLS client certificate authentication. In Network Traffic Measurement and Analysis Conference (TMA), 2017. IEEE, 1--9.

Cited By

Hosseini MDarabi SJahangir AMovaghar A(2024)Yuz: Improving Performance of Cluster-Based Services by Near-L4 Session-Persistent Load BalancingIEEE Transactions on Network and Service Management10.1109/TNSM.2023.334196421:2(1929-1942)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3341964
Hebrok SNachtigall SMaehren MErinola NMerget RSomorovsky JSchwenk JCalandrino JTroncoso C(2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620510
Van Goethem TFranken GSanchez-Rola IDworken DJoosen WSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517416(784-798)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517416
Show More Cited By

Index Terms

Tracking Users across the Web via TLS Session Resumption
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections
  2. Systems security
    1. Browser security

Recommendations

Enhanced performance for the encrypted web through TLS resumption across hostnames
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

TLS can resume previous connections via abbreviated resumption handshakes that decrease the delay and save expensive cryptographic operations by reusing cryptographic TLS state from previous connections. TLS version 1.3 recommends avoiding resumption ...
Read More
SSL/TLS session-aware user authentication revisited

Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications. In Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Computer Communications ...
Read More
Web designers and web users: Influence of the ergonomic quality of the web site on the information search

Despite rapid growth in the number of web sites, there is still a significant number of ergonomic problems which hinder web users. Many studies focus on analysing cognitive processes and difficulties experienced by web users, but very few are interested ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
456
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Hosseini MDarabi SJahangir AMovaghar A(2024)Yuz: Improving Performance of Cluster-Based Services by Near-L4 Session-Persistent Load BalancingIEEE Transactions on Network and Service Management10.1109/TNSM.2023.334196421:2(1929-1942)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3341964
Hebrok SNachtigall SMaehren MErinola NMerget RSomorovsky JSchwenk JCalandrino JTroncoso C(2023)We really need to talk about session ticketsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620510(4877-4894)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620510
Van Goethem TFranken GSanchez-Rola IDworken DJoosen WSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517416(784-798)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517416
Backendal MGünther FPaterson K(2022)Puncturable Key Wrapping and Its ApplicationsAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22966-4_22(651-681)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-22966-4_22
Cassel DLin SBuraggina AWang WZhang ABauer LHsiao HJia LLibert T(2021)OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile BrowsersProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00122022:1(227-252)Online publication date: 20-Nov-2021
https://doi.org/10.2478/popets-2022-0012
Devraj AWang LRexford J(2021)REDACTACM SIGCOMM Computer Communication Review10.1145/3503954.350395751:4(15-22)Online publication date: 3-Dec-2021
https://dl.acm.org/doi/10.1145/3503954.3503957
Mueller TSy E(2021)Enhanced Performance and Privacy via Resolver-Less DNS2021 International Conference on Information Networking (ICOIN)10.1109/ICOIN50884.2021.9334030(243-248)Online publication date: 13-Jan-2021
https://doi.org/10.1109/ICOIN50884.2021.9334030
Sinha ARamteke M(2021)A Study of Device Fingerprinting MethodsProceedings of International Conference on Computational Intelligence, Data Science and Cloud Computing10.1007/978-981-33-4968-1_55(705-719)Online publication date: 6-Apr-2021
https://doi.org/10.1007/978-981-33-4968-1_55
Schwabe PStebila DWiggers T(2021)More Efficient Post-quantum KEMTLS with Pre-distributed Public KeysComputer Security – ESORICS 202110.1007/978-3-030-88418-5_1(3-22)Online publication date: 30-Sep-2021
https://doi.org/10.1007/978-3-030-88418-5_1
Sy EMueller TBurkert CFederrath HFischer M(2020)Enhanced Performance and Privacy for TLS over TCP Fast OpenProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00272020:2(271-287)Online publication date: 8-May-2020
https://doi.org/10.2478/popets-2020-0027
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents