TLS Session Resumption is a feature that modern web browsers to save bandwidth and optimize connections to sites that use TLS that were visited in the past.
Basically, what it does is use information exchanged in previous interactions with a site to speed up the connection process to it.
Technically, a random session ID is assigned by the server to the client and stored by both. Stored information includes the random ID as well as session keys and connection states.
The client submits the session ID on consecutive visits to the site along with the initial protocol message. The server checks the submitted session ID and if it matches the one on record, replies with it to establish the connection faster.
Other Session Resumption methods exist that are designed to improve user privacy. Session Resumption via Pre-Shared Keys for instance protects “against a correlation of single user sessions by a passive network-based observer”.
TLS Session Resumption Privacy issues
The effectiveness of TLS Session Resumption depends much on the lifetime of session resumption mechanisms.
Web browsers, especially those on mobile devices, may stay active for a very long time which allows for very long session resumption lifetimes.
The client sends the session ID if it exists to the server to speed up the connection process; this means that the ID is known to the server even if the session is not resumed.
It is therefore possible that servers link IDs, the expired one and the newly generated one, to track users across sessions.
A site could even issue new IDs on every visit to extend the lifetime of session resumption further.
The option to link different session IDs to track a client opens options to track users on the Internet using these IDs.
The latter is only feasible for entities that are present on a lot of sites.
A scan of the Alexa top Million sites on the Internet revealed that 96% of sites supported at least one TLS Session Resumption method, Only 4% of sites did not support any.
The most common lifetime value for TLS session tickets is 5 minutes according to recent research but a considerable number supports session ID lifetimes of more than two hours.
Questions & Answers
How big are the performance improvements of TLS Session Resumption?
Cloudlfare ran a test from the company’s Office recently. The company tested 100 fresh handshakes and 100 session resumptions, and recorded the time and the CPU time.
- Real Time: 9.433 seconds
- CPU Time: 692.8 milliseconds
- Real Time: 4.212 seconds
- CPU Time: 30.45 milliseconds
The company concluded that the overall cost was less than 50% of a full TLS handshake.
Is TLS Session Resumption used by companies to track users?
There is no evidence that TLS Session Resumption is used by companies or other parties on today’s Internet.
Only companies that have access to a large portion of Internet Traffic could use the technique with success to track users across the Internet.
What you can do against TLS Session Resumption tracking
- The TLS cache is cleared whenever users close the browser. One of the better forms of protection is therefore to restart the browser occasionally to clear the cache to prevent this form of tracking.
- Use a browser that blocks third-party tracking by TLS Session Resumption by default or use configuration options to block it.
- The Tor Browser blocks this form of tracking by default.
- Firefox users and administrators can turn it off by setting security.ssl.disable_session_identifiers on about:config to true.
- First-Party Isolation prevents third-party tracking. Combine it with the clearing of the browser cache and Site Settings on exit to prevent prolonged tracking.