[HN Gopher] Tracking Users Across the Web via TLS Session Resump...
___________________________________________________________________
Tracking Users Across the Web via TLS Session Resumption (2018)
[pdf]
Author : Tomte
Score : 79 points
Date : 2021-04-13 12:19 UTC (10 hours ago)
(HTM) web link (svs.informatik.uni-hamburg.de)
(TXT) w3m dump (svs.informatik.uni-hamburg.de)
| 1vuio0pswjnm7 wrote:
| Yet another advantage of using a TLS-capable proxy bound to the
| loopback. It is very easy to disable session resumption.
|
| A comment above mentioned SNI and some other stuff. Easy to
| disable or filter those things, too. Most sites do not require
| SNI and I never send it unless necessary. By MITM'ing TLS I can
| modify/delete headers/page content as well, before it hits a
| browser.
| imiric wrote:
| Interesting, thanks.
|
| Can you share a tutorial or gist with the config? Would
| mitmproxy be a good option for this or something else?
| 1vuio0pswjnm7 wrote:
| No doubt mitmproxy could probably be used. Personally I
| prefer haproxy or stunnel. Among other advantages, this
| allows me to do proxying on smaller computers with limited
| storage where installing Python would be costly.
| cyberlab wrote:
| Does spawning new incognito sessions mitigate this? I know for me
| I have set all my various browsers to use incognito mode by
| default, so all my sessions are insulated from each other and
| can't 'talk' to each other. For sessions where I need to be
| logged in/use cookies, I have a dedicated Firefox profile that I
| launch with the `-p` switch in the launcher icon, and I never do
| anything sensitive in this session, so I don't care about secrets
| being leaked into that session.
| em-bee wrote:
| you should be able to use firefox multi-account containers to
| the same effect
| ChrisArchitect wrote:
| why post this over and over?
|
| Here's some previous discussion:
| https://news.ycombinator.com/item?id=18251844
| mwexler wrote:
| TLS refers to Transport Layer Security. Its what came after SSL
| (Secure Sockets Layer), is the protocol under the secure web
| connection (https) and involves a session key that can be used to
| track, basically. Just stripping the acronyms for the all-caps
| averse.
| teddyh wrote:
| Discussed a few days ago here on HN, and described by 'ivanr' as
| "misusing TLS session IDs, but the technique doesn't work
| reliably and it's not secure":
|
| 1. https://news.ycombinator.com/item?id=26770261
| ivanr wrote:
| Indeed, it's a misuse of TLS session IDs for pervasive
| surveillance. The early web application firewalls also used TLS
| session IDs to better understand clients, for example
| correlating the observed values with HTTP session identifiers.
| I believe that many intrusion detection systems today support
| rich parsing of TLS traffic to enhance their operation.
|
| Back on TLS, there's are several other ways in which it leaks
| information that could be used for surveillance. Say, a decade
| ago, back when revocation checking with OCSP used to be much
| more widely supported, you could track someone's browsing
| habits by observing which OCSP responders they talked to. OCSP
| responses are signed, but the traffic is otherwise not
| encrypted. Given that most certificates were (and still are)
| issued by a handful of CAs, you only needed to listen for
| global traffic at a small number of points. Of course, the fact
| that OCSP traffic is not encrypted further increases the amount
| of information available for fingerprinting.
|
| Then there is client fingerprinting at TLS level, which is
| possible because TLS is actually a mix of protocols, cipher
| suites, extensions, and various other parameters. ClientHello
| messages (which are used to initiate TLS handshakes) leak a lot
| of information that can be converted to useful signals for
| fingerprinting.
|
| Even at a single web site level, information is leaked via TLS
| record (i.e., packet) length. A careful observer can look at
| the record lengths and deduce which resources (e.g., pages,
| images) are downloaded.
| baybal2 wrote:
| TLS on top of that ignore:
|
| CORS
|
| img tag GET request cookie sanitation on modern browsers
|
| 3rd party cookie filter/discard
|
| All kind of other privacy filtering
|
| It's just like TLS SNI a very obvious feature completely
| contrary to TLS privacy purpose, but which very few people
| know about.
| jjoergensen wrote:
| What would this tracking mean in regards to following the EU
| ePrivacy directive? My understanding is that session resumption
| mechanisms could be used to track users by capturing the session
| ID and associating it with the user's IP address, it should
| follow that the use of such devices should be allowed only for
| legitimate purposes, with the knowledge of the users concerned?
|
| "(24) Terminal equipment of users of electronic communications
| networks and any information stored on such equipment are part of
| the private sphere of the users requiring protection under the
| European Convention for the Protection of Human Rights and
| Fundamental Freedoms. So-called spyware, web bugs, hidden
| identifiers and other similar devices can enter the user's
| terminal without their knowledge in order to gain access to
| information, to store hidden information or to trace the
| activities of the user and may seriously intrude upon the privacy
| of these users. The use of such devices should be allowed only
| for legitimate purposes, with the knowledge of the users
| concerned. 25) However, such devices, for instance so-called
| "cookies", can be a legitimate and useful tool, for example, in
| analysing the effectiveness of website design and advertising,
| and in verifying the identity of users engaged in on-line
| transactions. Where such devices, for instance cookies, are
| intended for a legitimate purpose, such as to facilitate the
| provision of information society services, their use should be
| allowed on condition that users are provided with clear and
| precise information in accordance with Directive 95/46/EC about
| the purposes of cookies or similar devices so as to ensure that
| users are made aware of information being placed on the terminal
| equipment they are using." Source: (24) Terminal equipment of
| users of electronic communications networks and any information
| stored on such equipment are part of the private sphere of the
| users requiring protection under the European Convention for the
| Protection of Human Rights and Fundamental Freedoms. So-called
| spyware, web bugs, hidden identifiers and other similar devices
| can enter the user's terminal without their knowledge in order to
| gain access to information, to store hidden information or to
| trace the activities of the user and may seriously intrude upon
| the privacy of these users. The use of such devices should be
| allowed only for legitimate purposes, with the knowledge of the
| users concerned."
|
| Source ePrivacy diretive: https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
| lmkg wrote:
| The ePrivacy Directive makes a bit of a distinction between
| data stored on the client, vs network information. Cookies are
| the former, IP addresses are the latter. From reading the
| paper, the TLS session ID is stored on the client, and sent to
| the server. So for the ePD, this is in the same category as
| cookies, not IP addresses.
|
| The complicating factor is that the TLS session ID has a
| _legitimate_ purpose, and this tracking is a _secondary use_ of
| that data. I know what GDPR says about that topic, but I 'm
| less familiar with the ePD. I'm trying to read the law, but
| it's less approachable than GDPR. I _think_ secondary uses
| still require strict consent, but I 'm not sure.
___________________________________________________________________
(page generated 2021-04-13 23:01 UTC)